T1567 Exfiltration Over Web Service
T1114 Email Collection
The activity involved user katharine@letsdefend.io on the internal mail server (IP address 172.16.20.3). The mailbox attempted to forward an email to an external address katharine.isabell@yandex.ru.
The alert SOC136 Data Leak via Mailbox Forwarding Detected triggered when an email containing sensitive information was detected attempting to be forwarded externally. The email included credential pairs such as root, john, bill, and admin with associated passwords, which indicates potential credential leakage. The forwarding attempt targeted an external Yandex email address, which is outside the organization.
Mar 07 2021 05:31 PM
Source Address katharine@letsdefend.io
Destination Address katharine.isabell@yandex.ru
Mail server SMTP address 172.16.20.3
The alert triggered due to detection of sensitive credential information being forwarded externally via email. The mail security control successfully blocked the transmission, preventing potential data exfiltration. No additional suspicious activity was observed on Katharine’s endpoint, suggesting the event may have been accidental or part of testing. However, since credentials were involved and the action attempted to send them outside the organization, the activity is classified as a true positive and should be escalated to confirm with the user whether the forwarding was intentional and to ensure credentials are rotated if necessary.