Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.

Read More

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

Read More

This attacker group engages in fraudulent activity by registering lookalike domains through Namecheap, often mimicking well-known brands by appending terms like LLC, LTD, Inc, or Corp. Their tactics involve sending fraudulent quote requests via Namecheap's private email service, followed by attempts to purchase goods on credit. These goods are routed through freight forwarders, typically bound for Western Africa. With increasing scrutiny on cash transactions to high-risk regions, they have shifted focus to acquiring goods. It is crucial to thoroughly validate any flagged messages and verify credit information before releasing products to these entities.

Read More

Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.

Read More

Impersonation of the Quickbooks service from Intuit.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

Read More

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

Read More

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

Read More

A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

Read More

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

This technique has been used by known threat actors in the wild.

Read More

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Read More

This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.

Read More

Impersonation of Netflix.

Read More

Impersonation of the Mailgun Email delivery platform.

Read More

Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders.

Read More

Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.

Read More

Email is from a suspicious sender and contains a request for financial information, such as AR reports.

Read More

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Read More

Message contains use of a slubnaglowie.pl redirect. This redirection has been abused by threat actors in the wild.

Read More

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

Read More

This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.

Read More

The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link.

Read More

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Read More

Impersonation of Meta or Meta's subsidiary Facebook.

Read More

Callback phishing campaigns have been observed abusing Intuit Quickbooks services to send fraudulent invoices with callback phishing contents.

Read More

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

Read More

Impersonation of Dropbox, a file sharing service.

Read More

Impersonation of the United States Postal Service.

Read More

This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.

Read More

Identifies EML attachments that use credential theft language from unknown senders.

Read More

This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.

Read More

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

Read More

Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.

Read More

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Read More

Attackers have been observed using myshopify.com links to bypass domain reputation checks.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Read More

DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing.

Read More

The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.

Read More

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Read More

The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Read More

A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Impersonation of Hulu.

Read More

Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.

Read More

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Office file OLE relationship link is a credential page, or contains credential phishing language.

Read More

Message contains use of the giving.lluh.org redirect. This redirection has been abused by threat actors in the wild.

Read More

Message contains use of a marketing.edinburghairport.com redirect. This redirection has been abused by threat actors in the wild.

Read More

Message contains use of a next.io redirect. This redirection has been abused by threat actors in the wild.

Read More

Message contains use of a people.anuneo.com redirect. This redirection has been abused by threat actors in the wild.

Read More

Impersonation of the Financial Industry Regulatory Authority (FINRA)

Read More

Impersonation of Stripe, usually for credential theft.

Read More

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

Message and attachment resemble an email from a scan-to-email service or device with credential theft language.

Read More

Impersonation of the broadcasting corporation SiriusXM.

Read More

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Read More

Doubleclick.net link in a document leveraging an open redirect from a new or outlier sender.

Read More

Detects low reputation links with Microsoft specific indicators in the body.

Read More

This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization.

Read More

The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.

Read More

Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.

Read More

Impersonation of the shipping provider FedEx.

Read More

This rule flags emails that reference invoices or payments but have suspicious characteristics: attachments are either missing or only images. It also checks for misleading links disguised as attachments and the presence of invoice-related keywords. The rule looks for potential credential theft or unusual requests, making it a strong indicator of phishing attempts.

Read More

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Read More

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Read More

This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.

Read More

Body contains language resembling credential theft, and a "secure message" from an untrusted sender.

Read More

Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted.

Read More

This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.

Read More

The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.

Read More

Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.

Read More

This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.

Read More

Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.

Read More

Message contains use of the weblinkconnect.com open redirect, but the sender is not weblinkconnect.com. This has been exploited in the wild.

Read More

Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.

Read More

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

Read More

Impersonation of the petroleum and natural gas company Saudi Aramco.

Read More

Attackers invite users to view a Google Calendar whose name contains a suspicious link, generally linking to spam content such as crypto giveaways, using open redirects to mask the true destination.

Read More

Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.

Read More

Message contains use of a LinkedIn Redirect. The redirect contains a 3 second delay before redirecting the browser. This redirection has been abused by threat actors in the wild.

Read More

Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.

Read More

Impersonation of PayPal.

Read More

Scans files to detect Norton (Lifelock|360|Security) impersonation.

Read More

Message contains use of the storematch.jp open redirect. This has been exploited in the wild.

Read More

Message contains use of the fenc.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the Club-OS open redirect. This has been exploited in the wild.

Read More

Message contains use of the stats.lib.pdx.edu open redirect. This has been exploited in the wild.

Read More

Message contains use of the magneticmarketing.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the ringaraja.net open redirect. This has been exploited in the wild.

Read More

This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.

Read More

Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.

Read More

Email contains a ClickFunnels (mass mailing platform) tracking link but does not originate from ClickFunnels sending infrastructure. The myclickfunnels.com domain has been abused by threat actors to attempt credential phishing.

Read More

Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss.

Read More

Message contains use of the Dell open redirect, but the sender is not Dell.

Read More

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

Read More

This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

Read More

Message contains use of the PIRL San Diego open redirect. This has been exploited in the wild.

Read More

This detection rule matches on messages containing one or more Decoy PDF attachments with metadata discovered to have been assoicated with malicious email campaigns featuring CrowdStrike, DocuSign, Human Resource and password expiration lures.

Read More

The detection rule matches on message groups which make use of Microsoft Forms as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Read More

DocuSign shares with new reply-to addresses have been seen in recent attacks.

Read More

This rule looks for password expiration verbiage in the subject and body. Requiring between 1 - 9 links, a short body, and NLU in addition to statically specified term anchors. High trust senders are also negated.

Read More

Impersonating Wise Financial, an online banking platform.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Read More

This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs.

Read More

Impersonation of the shipping provider DHL.

Read More

This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications.

Read More

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

Read More

Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender.

Read More

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Read More

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

Read More

This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender.

Read More

Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.

Read More

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

Read More

Impersonation of the Canadian energy company Enbridge.

Read More

Message contains use of the events.csiro.au redirect. This has been exploited in the wild.

Read More

Message contains use of the Phoenix Art Studio redirect. This has been exploited in the wild.

Read More

This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender. Webflow.io provides a free plan enabling users to create custom websites and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.

Read More

Message contains use of the eodcnetworkdirect.com redirect. This has been exploited in the wild.

Read More

Impersonation of Wells Fargo Bank.

Read More

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Read More

Impersonation of the Canadian interbanking network Interac. Seen in the wild impersonating carbon tax rebates and tax return refunds.

Read More

Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.

Read More

Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.

Read More

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Read More

Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.

Read More

This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.

Read More

This rule detects unsolicited messages with between 1-9 links containing a suspicious subject as well as Cyrillic vowel substitutions detected in either the subject or the senders display name.

Read More

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Read More

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Read More

Impersonation of the credit card provider American Express.

Read More

Message contains use of the Signature Travel Network open redirect, but the sender is not Signature Travel Network. This has been exploited in the wild.

Read More

Attack impersonating DocSend.

Read More

Detects emails containing links using Indeed '/r?target=xxxxxx' open redirect where the email has not come from indeed.com

Read More

Message contains use of the pmifunds.com redirect. This has been exploited in the wild.

Read More

Message contains use of the secondstreetapp.com redirect. This has been exploited in the wild.

Read More

Message contains use of calgary.ca's open redirect but the sender is not the City of Calgary.

Read More

Message contains use of the Newegg open redirect, but the sender is not Newegg. This has been exploited in the wild.

Read More

Message contains use of the Artisteer open redirect, but the sender is not Artisteer. This has been exploited in the wild.

Read More

Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.

Read More

Message contains use of an open redirect on TikTok. This has been exploited in the wild.

Read More

The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.

Read More

Message contains use of the emlakarsa open redirect. This has been exploited in the wild.

Read More

Message contains use of the eduyield redirect which chains google amp. This has been exploited in the wild.

Read More

Attack impersonating a DocuSign request for signature.

Read More

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

Read More

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

Read More

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Read More

Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.

Read More

Impersonation of Github.

Read More

Campaigns have been observed sending templated Stripe notification emails with the call-to-action button link replaced, clicking through to a malicious credential phishing page.

Read More

Message contains use of the IndiaTimes open redirect. This has been exploited in the wild.

Read More

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

Read More

Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.

Read More

Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.

Read More

Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.

Read More

Message contains use of an open redirect on artkaderne.dk. This has been exploited in the wild.

Read More

Message contains use of the bestdeals.today open redirect. This has been exploited in the wild.

Read More

Message contains use of the chkc.com.hk open redirect. This has been exploited in the wild.

Read More

Message contains use of the documentmailbox.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the ExacTag open redirect. This has been exploited in the wild.

Read More

Message contains use of the g7.fr open redirect. This has been exploited in the wild.

Read More

Message contains use of the isadatalab.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the LearningApps open redirect. This has been exploited in the wild.

Read More

Message contains use of the Medium open redirect. This has been exploited in the wild.

Read More

Message contains use of the PremierBet open redirect. This has been exploited in the wild.

Read More

Message contains use of the ust.hk open redirect. This has been exploited in the wild.

Read More

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Read More

Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.

Read More

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Read More

Impersonation of the online food ordering and food delivery platform, DoorDash

Read More

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.

Read More

Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.

Read More

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Impersonation of the video conferencing provider Zoom. This "strict" version of this rule will only flag when the sender's display name matches those used by Zoom exactly.

Read More

This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.

Read More

This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.

Read More

Impersonation of Twitter

Read More

This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content.

The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Read More

A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.

Read More

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

Read More

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

Read More

Callback Phishing via text-based file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender.

Read More

Possible attempt to impersonate Sublime Security executives.

Read More

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF or OneNote file using indicators such as suspicious sender analysis and link characteristics.

Read More

This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.

Read More

Message (or attached message) contains an image impersonating an Outlook attachment button.

Read More

Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.

Read More

Impersonation of United Parcel Service (UPS).

Read More

This rule detects the use of Cartoon Network's Denmark domain as an open redirect.

Read More

Doubleclick.net link leveraging a nested doubleclick.net open redirect from a new or outlier sender. The unusual behavior of nesting a doubleclick URL inside another doubleclick link warrants increasing the severity of this rule.

Read More

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Read More

Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing.

Read More

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Read More

This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.

Read More

This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.

Read More

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

Read More

Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.

Read More

Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.

Read More

Impersonation of LinkedIn.

Read More

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

Read More

Doubleclick.net link leveraging an open redirect from a new or outlier sender.

Read More

Impersonation of Barracuda Networks, an IT security company.

Read More

This rule identifies HTML attachments which contain multiple references to JavaScript functions that support making HTTP requests. This has been observed in phishing campaigns to load remote payloads into otherwise benign HTML attachments.

Read More

This rule detects URL paths which contain the recipient SLD multiple times. This has been observed in multiple credential phishing campaigns with MFA enrollment themed lures.

Read More

Impersonation of the Microsoft brand.

Read More

Attack impersonating hardware cryptocurrency wallet ledger.com's brand.

Read More

Detects messages with undisclosed recipients, containing links to free subdomain hosts

Read More

Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft.

Read More

Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Read More

Detects job scam attempts by analyzing the message body text from an unsolicited sender.

Read More

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.

Read More

This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body.

Read More

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Read More

Impersonation of Bank of America, usually for credential theft.

Read More

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance from mismatched senders and other suspicious language.

Read More

Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Read More

Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.

Read More

The message originates from an onmicrosoft.com email address being sent via Sendgrid.

Read More

Sender's domain is a lookalike of one of your organization's domains and is untrusted.

Read More

Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.

Read More

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

Read More

Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.

Read More