Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body.

Read More

Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line.

Read More

Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections.

Read More

Detects messages from Adobe's legitimate email domain containing suspicious language about document or payment approval that may indicate service abuse.

Read More

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Read More

Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

Read More

This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Read More

Detects callback scam content sent from the legitimate Microsoft Power BI service email address, indicating potential service abuse to distribute fraudulent callback solicitations.

Read More

Impersonation of Dropbox, a file sharing service.

Read More

Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.

Read More

Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.

Read More

Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains.

Read More

Detects PDF attachments that contain the recipient's domain in the filename and include a single link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.

Read More

Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.

Read More

Impersonation of Blockchain[.]com, usually for credential theft.

Read More

Detects messages with QR code in attachments containing special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

Read More

Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes.

Read More

Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.

Read More

Detects messages sent from a user to themselves containing a link with quarterly indicators (q1_, q2_, q3_, q4_) and specific document review language requesting urgent feedback.

Read More

Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services.

Read More

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

Read More

Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.

Read More

Impersonation of the United States Postal Service.

Read More

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Read More

Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes.

Read More

Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication.

Read More

Detects callback scam language in messages sent through legitimate GetAccept infrastructure, indicating potential abuse of the service for fraudulent solicitation.

Read More

Subject matches the display name of someone in your organization, and the body resembles a BEC attack.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

Impersonation of the Quickbooks service from Intuit.

Read More

Detects commonly observed formatting of unauthorized giveaways, free tools, and products by multiple different brands.

Read More

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Read More

Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.

Read More

Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Read More

Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.

Read More

Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.

Read More

Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened.

Macros are a common phishing technique used to deploy malware.

Read More

Recursively scans files and archives to detect embedded VBA files with an auto open exec.

Read More

Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.

Read More

Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe.

This may be an attempt to heavily obfuscate an execution through Microsoft document.

Read More

Attachment contains a VBA macro from a sender your organization has never sent an email to.

Sender is using a display name that matches the display name of someone in your organization.

VBA macros are a common phishing technique used to deploy malware.

Read More

Attached .csproj file contains suspicious commands.

Read More

Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats.

Read More

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Read More

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

Read More

Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1

Read More

Detects calendar (.ics) attachments containing suspicious invisible Unicode characters, which may be used to hide malicious content or bypass security filters. The rule triggers on messages with calendar-related keywords in the subject or body.

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

Read More

Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.

Read More

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

Read More

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Read More

MHT files can be used to run VBScript, which can run malicious code.

Read More

Attached EML contains a base64 encoded script in the message body.

Read More

Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.

Read More

Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.

Read More

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Read More

Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.

Read More

Detects Excel attachments containing a specific template identifier (TM16390866) in the EXIF metadata, which may indicate malicious or suspicious document templates being used to distribute harmful content.

Read More

Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.

Read More

Javascript contains identifiers or strings that may attempt to execute files.

Read More

Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters

Read More

Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.

Read More

Attached HTML file does not contain any HTML other than a