Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Read More

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

Read More

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Read More

This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.

Read More

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Read More

Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication.

Read More

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Read More

The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.

Read More

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

Read More

DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

Read More

DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.

Read More

This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.

Read More

Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.

Read More

This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.

Read More

DocuSign shares with new reply-to addresses have been seen in recent attacks.

Read More

Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.

Read More

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

Read More

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Read More

Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Read More

Impersonation of Stripe, usually for credential theft.

Read More

Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.

Read More

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Read More

Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.

Read More

Impersonation of PayPal.

Read More

Detects low reputation links with Microsoft specific indicators in the body.

Read More

Impersonation of United Parcel Service (UPS).

Read More

The detection rule matches on message groups which make use of Microsoft Forms as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, URL shorteners or when visited are phishing pages, lead to a captcha or redirect to a top website.

Read More

This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.

Read More

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Read More

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

Read More

This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.

Read More

Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name.

Read More

Impersonation of the expense management provider Navan.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Read More

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

Read More

Detects HTML files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within HTML comments.

Read More

Message contains use of the whitefox.pl open redirect. This has been exploited in the wild.

Read More

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Read More

Impersonation of the Quickbooks service from Intuit.

Read More

Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature.

Read More

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Read More

Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.

Read More

Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.

Read More

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Read More

Attack impersonating a DocuSign request for signature.

Read More

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Read More

A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

Read More

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.

Read More

Message contains use of the mindmixer.com redirect. This has been exploited in the wild for phishing.

Read More

Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name.

Read More

This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.

Read More

Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.

Read More

Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.

Read More

Message contains use of the smore.com redirect. This has been exploited in the wild for phishing.

Read More

Message contains use of the cm.labcluster.com/go.aspx redirect. This has been exploited in the wild for phishing.

Read More

Message contains use of the tkqlhce.com redirect. This has been exploited in the wild for phishing.

Read More

This rule detects the use of Cartoon Network's Denmark domain as an open redirect.

Read More

Message contains use of the Bitrix24 redirect. This has been exploited in the wild for phishing.

Read More

Message contains use of the adnxs.com redirect with getuid parameter. This has been exploited in phishing campaigns to redirect users to malicious sites.

Read More

Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Read More

Message contains use of the weblinkconnect.com open redirect, but the sender is not weblinkconnect.com. This has been exploited in the wild.

Read More

Message contains use of the agena-smile.com redirect with wptouch_switch parameter. This has been exploited in the wild for phishing.

Read More

Message contains use of the eaoko.org redirect. This has been exploited in the wild.

Read More

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

Read More

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

Read More

Detects messages containing amaterasu-for-website-5.com redirect links that use the url parameter to redirect users to malicious sites. This has been observed in phishing campaigns.

Read More

Detects messages containing buildingengines.com redirect links that use the _redirectTo parameter to redirect users to malicious sites. This has been observed in phishing campaigns.

Read More

Detects messages containing Obunsha's passnavi redirect service that can be exploited to redirect users to malicious sites. This has been used in phishing campaigns.

Read More

Message contains use of the Samsung open redirect, but the sender is not Samsung.

Read More

Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence.

Read More

Message contains use of the shoppermeet.net redirect. This has been exploited in the wild for phishing.

Read More

This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.

Read More

Callback phishing campaigns have been observed abusing Intuit Quickbooks services to send fraudulent invoices with callback phishing contents.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

Message contains use of the retailrocket.net open redirect. This has been exploited in the wild.

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Detects when a sender links to a Sharepoint file where the subdomain significantly differs from the sender's domain. The rule checks for OneNote, PDF, or unknown file types and includes various domain validation checks.

Read More

Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.

Read More

Impersonation of the shipping provider FedEx.

Read More

Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication.

Read More

This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Read More

Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.

Read More

Impersonation of LinkedIn.

Read More

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Read More

This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Read More

Detects job scam attempts by analyzing the message body text from an unsolicited sender.

Read More

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

Read More

This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware.

The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download

These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.

Read More

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.

This technique has been used by known threat actors in the wild.

Read More

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.

Read More

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Read More

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Read More

Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

Read More

Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns

Read More

This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.

Read More

This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications.

Read More

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Impersonation of Twitter.

Read More

Identifies inbound messages from Recruitee domains containing recruitment-related topics and application links, where the sender has limited prior history. The URLs in these messages either point to recently registered domains or appear as standalone links with application-focused text.

Read More

This rule flags emails that reference invoices or payments but have suspicious characteristics: attachments are either missing or only images. It also checks for misleading links disguised as attachments and the presence of invoice-related keywords. The rule looks for potential credential theft or unusual requests, making it a strong indicator of phishing attempts.

Read More

The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.

Read More

Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation.

Read More

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Impersonation of the cryptocurrency exchange Binance.

Read More

Detects inbound messages containing links where the sender impersonates MetaMask through display name manipulation and includes the MetaMask logo or suspicious language, while not being from legitimate MetaMask domains. The rule checks for credential theft patterns and validates sender authentication.

Read More

This rule detects Cross-Site Scripting (XSS) attempts within email subjects. It bypasses messages from highly trusted domains unless they fail authentication. However, the rule remains flexible, triggering even for trusted domains when emails are sent from Google Groups, ensuring thorough protection against potential threats while minimizing false positives.

Read More

Message contains use of the convertcart.com redirect. This has been exploited in the wild.

Read More

Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication.

Read More

Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Read More

Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number.

Read More

This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.

Read More

Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.

Read More

Detects inbound messages containing links where the sender impersonates Trust Wallet through display name manipulation and suspicious language, while not being from legitimate Trust Wallet domains. The rule checks for credential theft patterns and validates sender authentication.

Read More

Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters

Read More

This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.

Read More

Impersonating Wise Financial, an online banking platform.

Read More

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

Read More

This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders.

Read More

Impersonation of Charles Schwab & Co

Read More

This rule looks for password expiration verbiage in the subject and body. Requiring between 1 - 9 links, a short body, and NLU in addition to statically specified term anchors. High trust senders are also negated.

Read More

Message contains use of the vconfex.com redirect. This has been exploited in the wild.

Read More

Message contains use of the listing.ca redirect. This has been exploited in the wild.

Read More

Impersonation of the shipping provider DHL.

Read More

Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.

Read More

Message contains use of the museepicassoparis.fr open redirect. This has been exploited in the wild.

Read More

Message contains use of the radiopublic.com redirect. This has been exploited in the wild.

Read More

Message contains use of the api.spently.com redirect. This has been exploited in the wild.

Read More

Message contains use of the astroarts.co.jp redirect. This has been exploited in the wild.

Read More

Message contains use of the ijf.org redirect. This has been exploited in the wild.

Read More

Message contains use of the mail.spiceworks.com redirect. This has been exploited in the wild.

Read More

Message contains use of the embluemail.com redirect. This has been exploited in the wild.

Read More

Message contains use of the magiccity.ne.jp redirect. This has been exploited in the wild.

Read More

Message contains use of the bubblelife.com redirect. This has been exploited in the wild.

Read More

Message contains use of the magic4media.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the smartadserver.com redirect. This has been exploited in the wild.

Read More

Message contains use of the unitedwaynwvt.org open redirect. This has been exploited in the wild.

Read More

Impersonation of Hulu.

Read More

Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.

Read More

Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.

Read More

This rule identifies sender display names containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Read More

Message contains use of the sciencebuddies.org open redirect. This has been exploited in the wild.

Read More

Message contains use of the ssg-financial.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the social.bigpress.net open redirect. This has been exploited in the wild.

Read More

Message contains use of the shoppingwebapi.didatravel.com open redirect. This has been exploited in the wild.

Read More

Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.

Read More

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

Read More

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

Read More

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Read More

This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.

Read More

Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.

Read More

Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators.

Read More

Message contains use of the plasticsurgery.or.kr open redirect. This has been exploited in the wild.

Read More

Message contains use of the k-mil.net open redirect. This has been exploited in the wild.

Read More

Message contains use of the predictiveresponse.net open redirect. This has been exploited in the wild.

Read More

This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.

Read More

Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.

Read More

Impersonation of Netflix.

Read More

Message contains use of the designsori.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the qrxtech.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the eduyield redirect which chains google amp. This has been exploited in the wild.

Read More

Impersonation of the Canadian energy company Enbridge.

Read More

The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.

Read More

The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.

Read More

Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.

Read More

Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.

Read More

Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.

Read More

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Read More

Message contains use of a redirect chain which involves YouTube and Google amp. This has been exploited in the wild.

Read More

Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.

Read More

Impersonation of Wells Fargo Bank.

Read More

A file sharing link in the body sent from a suspicious sender domain.

Read More

Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing.

Read More

Impersonation of the Microsoft brand.

Read More

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

Read More

Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.

Read More

Callback phishing campaigns have been observed abusing Zoho Invoice services to send fraudulent invoices with callback phishing contents.

Read More

This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.

Read More

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

Read More

Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.

Read More

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

Read More

A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.

Read More

Impersonation of the broadcasting corporation SiriusXM.

Read More

This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey.

Read More

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

Read More

Detects when non-Xfinity senders abuse Xfinity's CMP redirection service to reach Google AMP pages. The rule specifically looks for targetURL parameters containing Google AMP paths in links from untrusted or previously malicious senders.

Read More

Attack impersonating hardware cryptocurrency wallet ledger.com's brand.

Read More

Message contains use of the nowlifestyle.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the xfinity.com open redirect. This has been exploited in the wild.

Read More

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Read More

Message contains use of the easycamp.com open redirect. This has been exploited in the wild.

Read More

This rule identifies messages where links use typosquatting or lookalike domains similar to the sender domain, with at least one domain being either unregistered or recently registered (≤90 days). The messages must also contain indicators of business email compromise (BEC), credential theft, or abusive language patterns like financial terms or polite phrasing such as kindly. This layered approach targets phishing attempts combining domain deception with manipulative content

Read More

A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Read More

Hardbacon is a defunct Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages.

Read More

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

Read More

This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.

Read More

This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.

Read More

Office file OLE relationship link is a credential page, or contains credential phishing language.

Read More

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

Read More

Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.

Read More

Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted.

Read More

This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification

Read More

The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Read More

Impersonation of the United States Postal Service.

Read More

This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.

Read More

This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.

Read More

Sender is using a display name that matches the display name of someone in your $org_vips list.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Read More

Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.

Read More

Impersonation of a Microsoft Teams message.

Read More

The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.

Read More

The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link.

Read More

Detects inbound messages containing HTML attachments with an unusually high number of emojis in a list, sent from untrusted or suspicious senders who lack an established sending history or have previous malicious behavior.

Read More

Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives.

Read More

Attached OLE file (typically a Microsoft Office document) is malformed, possibly to evade traditional scanners and filters.

Read More

Impersonation of KnowBe4.

Read More

Email is from a suspicious sender and contains a request for financial information, such as AR reports.

Read More

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

Read More

Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.

Read More

This attacker group engages in fraudulent activity by registering lookalike domains through Namecheap, often mimicking well-known brands by appending terms like LLC, LTD, Inc, or Corp. Their tactics involve sending fraudulent quote requests via Namecheap's private email service, followed by attempts to purchase goods on credit. These goods are routed through freight forwarders, typically bound for Western Africa. With increasing scrutiny on cash transactions to high-risk regions, they have shifted focus to acquiring goods. It is crucial to thoroughly validate any flagged messages and verify credit information before releasing products to these entities.

Read More

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

Read More

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

Read More

A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

Read More