Update o365_email_send_attachments_excessive_volume.yml

nterl0k · web-flow · commit 67adb9448516 · 2025-01-31T19:57:12.000-05:00
diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml
@@ -4,7 +4,7 @@ version: 1
 date: '2025-01-20'
 author: Steven Dick
 type: Anomaly
-description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.
+description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.
 data_source: 
 - Office 365 Universal Audit Log
 search: |-
