Managed Sentinel – Alert 208
| Alert ID | MS-A208 |
| Alert Name | Internal hosts using POP3 or IMAP email clients |
| Description | This alert identifies internal hosts using IMAP/POP3 email accounts. Users should not be allowed to use unsanctioned email clients. |
| Severity Level | Low |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Exfiltration Command and Control |
| Log sources | Firewalls |
| False Positive | Personal managed devices used in the corporate network |
| Recommendations | 1. Block this specific application in perimeter firewall (applicable to NGFW) 2. Notify user about improper use of technologies, based on organization AUP standard 3. Perform a AV/AM scan of the user machine (applicable to corporate managed systems). |