Potential HTML Smuggling. This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.

Read More

Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.

Read More

Detects low reputation links with Microsoft specific indicators in the body.

Read More

The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule ensures at least a single link is present with either voicemail in the display name, body, subject or a combination of those elements with a medium to high credential theft NLU Intent from an unsolicited sender.

Read More

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.

Read More

Body contains language resembling credential theft, and a "secure message" from a first-time sender.

Read More

This rule examines messages containing image attachments that utilize Google's open redirect (google[.]com/url...). To enhance accuracy and minimize false positives, the rule conducts additional assessments for suspicious indicators, as indicated in the comments.

Read More

Impersonation of Github.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from a first-time sender.

Read More

This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.

Read More

Impersonation of the Microsoft brand.

Read More

This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.

Read More

Impersonation of Venmo

Read More

An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.

Read More

Detects callback scams by analyzing text within images of receipts or invoices from first time senders.

Read More

Recursively scans files and archives to detect HTML smuggling techniques.

Read More

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

Read More

This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.

Read More

Message contains use of the U.S. Antarctic Program Data Center (USAP-DC) open redirect.

Read More

Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.

Read More

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Read More

Detects fake message threads with suspicious links and financial request language

Read More

Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.

Read More

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender.

Read More

Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.

Read More

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish between legitimate Google AMP pages and potential malicious usage.

Read More

A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.

Read More

Impersonation of the shipping provider FedEx.

Read More

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from a first-time sender.

Read More

Impersonation of the video conferencing provider Zoom. This "strict" version of this rule will only flag when the sender's display name matches those used by Zoom exactly.

Read More

Impersonation of PayPal.

Read More

Attached EML links to a credential phishing site.

Read More

Detects spam from freemail senders, where the linked domain is less than 10 days old and emojis present.

Read More

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

Read More

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Recursively scans files and archives to detect Office documents with VSTO Add-ins.

Read More

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Read More

Impersonation of Barracuda Networks, an IT security company.

Read More

Impersonation of Vanta.

Read More

The sender's email address local part contains the recipients SLD, the sender's domain is not a known org domain, and it's a first time sender.

Read More

Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.

Read More

This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type and are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. Such obfuscation tactics have been frequently observed in credential phishing campaigns.

Read More

Office file OLE relationship link is a credential page, or contains credential phishing language.

Read More

Impersonation of LinkedIn.

Read More

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Read More

Detects messages with undisclosed recipients, containing links to free subdomain hosts

Read More

Attack impersonating Exodus Wallet.

Read More

Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain

Read More

Impersonation of Netflix.

Read More

Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines.

We've observed this technique used to deliver malware via attachments and phish credentials.

Read More

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.

Read More

The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.

Read More

A fraudulent invoice/receipt found in an single page pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.

Read More

Impersonation of Twitter

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Message contains use of Slack's open redirect but the sender is not Slack.

Read More

Looks for use of the Panera Bread open redirect coming from someone other than Panera.

Read More

Impersonation of the credit card provider American Express.

Read More

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.

Read More

Detects job scam attempts by analyzing the email body text from a first-time sender.

Read More

This detects a pattern commonly observed in mass phishing campaigns.

The local_part or the full email address of the recipient is used in the subject, body, and link query parameter to "personalize" the attack.

Read More

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.

False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

Read More

Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from first time sender. This technique is typically observed in Vendor impersonation.

Read More

Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.

Read More

Sender is using a display name that matches the display name of someone in your $org_vips list.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.

Read More

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender.

Read More

Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender.

Read More

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Read More

Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.

Read More

Scans for OneNote attachments that contain suspicious commands that may indicate malicious activity.

Read More

Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.

Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.

Read More

Email contains a Microsoft logo or suspicious terms and use of the Bing open redirect. This has been exploited in the wild to impersonate Microsoft.

Read More

Impersonation of Dropbox, a file sharing service.

Read More

Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.

Read More

Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Read More

Impersonation of a Microsoft Teams message.

Read More

Scans files to detect Norton (Lifelock|360|Security) impersonation.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.

Read More

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

Read More

Detects messages impersonating Coinbase with low reputation or url shortened links.

Read More

Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender.

Read More

Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.

Read More

Impersonation of ukr[.]net.

Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."

Read More

Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.

Read More

The sender's domain contains punycode, a technique used by attackers to impersonate legitimate domains.

Read More

Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.

Read More

Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened.

Macros are a common phishing technique used to deploy malware.

Read More

Recursively scans files and archives to detect embedded VBA files with an auto open exec.

Read More

Recursively scans files and archives to detect encrypted zip files.

Read More

Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.

Read More

Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe.

This may be an attempt to heavily obfuscate an execution through Microsoft document.

Read More

Recursively scans files and archives to detect embedded docx files with a specific author.

Read More

Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.

Read More

Attachment contains a VBA macro from a sender your organization has never sent an email to.

Sender is using a display name that matches the display name of someone in your organization.

VBA macros are a common phishing technique used to deploy malware.

Read More

Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)

Read More

Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Read More

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

Read More

Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.

According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.

Read More

Recursively scans files and archives to detect embedded EXE files (with an MZ header).

According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation".

The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.

Read More

Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1

Read More

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

Read More

Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.

Read More

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

Read More

This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.

For performance reasons, this rule is limited to attachments with "eicar" in the file name.

Read More

MHT files can be used to run VBScript, which can run malicious code.

Read More

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Read More

Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.

Read More

Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. Contents may include Red Dawn templates exceeding 500MB.

Read More

Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.

Read More

Recursively scans files and archives to detect IQY files.

Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.

Read More

Javascript contains identifiers or strings that may attempt to execute files.

Read More

Recursively identifies attachments that attempt to conceal their true file extension by using right-to-left override characters

Read More

Recursively scans files and archives to detect HTML smuggling techniques.

Read More

Attached HTML file does not contain any HTML other than a