<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Check Point Harmony Email &amp; Collaboration - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/check-point-harmony-email--collaboration/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:29:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/check-point-harmony-email--collaboration/feed.xml" rel="self" type="application/rss+xml"/><item><title>Elastic Defend and Email Alerts Correlation</title><link>https://feed.craftedsignal.io/briefs/2024-01-elastic-defend-email-correlation/</link><pubDate>Wed, 03 Jan 2024 18:29:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-elastic-defend-email-correlation/</guid><description>This rule correlates Elastic Defend alerts with email security alerts by target username, potentially indicating a successful phishing attack and subsequent endpoint compromise.</description><content:encoded><![CDATA[<p>This Elastic detection rule, released on April 10, 2026, aims to identify potentially successful phishing attacks by correlating alerts from Elastic Defend (endpoint) and Check Point Harmony Email &amp; Collaboration (email security). The rule focuses on identifying instances where the same target username is present in both endpoint and email-related alerts, suggesting that a user who received a malicious email may have also triggered an endpoint security alert due to the email's payload or a subsequent action. This correlation helps security teams prioritize investigations by highlighting users who are potentially compromised and require immediate attention. The rule uses a 45-minute interval, searching for alerts within the last hour. This approach provides a streamlined method for pinpointing potential phishing campaign successes that bypass initial email security measures.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A threat actor sends a spearphishing email to a target user containing a malicious attachment or link.</li>
<li>The email bypasses initial email security controls (e.g., Check Point Harmony Email &amp; Collaboration) and is delivered to the user's inbox.</li>
<li>The user opens the malicious attachment or clicks the link, initiating the download or execution of malware on the endpoint.</li>
<li>The malware executes, leading to suspicious behavior on the endpoint, such as unauthorized process creation or file modifications.</li>
<li>Elastic Defend detects the suspicious endpoint activity and generates an alert, including the affected user's username.</li>
<li>The Elastic detection rule identifies both an email alert and an Elastic Defend alert associated with the same target username.</li>
<li>The detection rule triggers an alert, indicating a potential successful phishing attack and endpoint compromise.</li>
<li>Security analysts investigate the correlated alerts to determine the scope of the compromise and initiate remediation actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to malware infection, data exfiltration, or ransomware deployment. The impact can range from a single compromised endpoint to a broader network breach, depending on the attacker's objectives and the organization's security posture. Correlating endpoint and email alerts reduces the time to detection and response, limiting the potential damage. Failure to detect these correlated events can result in significant financial losses, reputational damage, and operational disruption. The rule assigns a risk score of 73, indicating a high level of concern.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided ESQL rule to your Elastic environment and tune the <code>from</code> and <code>interval</code> parameters for your environment.</li>
<li>Enable Elastic Defend and Check Point Harmony Email &amp; Collaboration integrations to ingest relevant logs (Data Source: Elastic Defend, Data Source: Check Point Harmony Email &amp; Collaboration).</li>
<li>Investigate alerts generated by this rule by reviewing the alert details, related emails, and endpoint activity to identify the source and scope of the potential compromise (note section).</li>
<li>Configure automated response actions to isolate affected hosts and initiate incident response workflows when this rule triggers (note section).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>threat-detection</category><category>phishing</category><category>endpoint</category><category>email</category></item></channel></rss>