Email contains a ClickFunnels (mass mailing platform) tracking link but does not originate from ClickFunnels sending infrastructure. The myclickfunnels.com domain has been abused by threat actors to attempt credential phishing.

Read More

Identifies EML attachments that use credential theft language from unknown senders.

Read More

Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains.

Read More

Impersonation of the Microsoft brand.

Read More

Attack impersonating a DocuSign request for signature.

Read More

Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.

Read More

Detects when a standalone Ludus document link contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the presentation content and linked destinations for suspicious patterns and redirects.

Read More

Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.

Read More

Detects when a Scribd document contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the document content and linked destinations for suspicious patterns and redirects.

Read More

A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.

Read More

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Read More

Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Read More

Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks.

Read More

Message with short body text contains a single link where the display text matches the subject line. The link is deceptive and the recipient patterns are unusual, such as the recipient's address appearing in the body or undisclosed recipients being used.

Read More

A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages.

Read More

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Read More

Detects low reputation links with Microsoft specific indicators in the body.

Read More

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

Read More

An attacker may generate a user code and send it to a target mailbox. With an appropriate lure, the targeted user may action the device code login and provide an attacker with the means to take over their account.

This rule looks for the presence of the Microsoft device login portal link, as well as mentions of 'device code' or a 9 character alphanumeric device code value.

Read More

Callback phishing campaigns have been observed abusing Intuit Quickbooks services to send fraudulent invoices with callback phishing contents.

Read More

Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains.

Read More

Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.

Read More

This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.

Read More

Detects messages from senders impersonating Mailchimp through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.

Read More

Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.

Read More

The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.

Read More

Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.

Read More

Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.

Read More

Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains.

Read More

Message contains a link to a credential phishing page from an unknown sender.

Read More

Detects URLs linking to Gamma App presentation mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities

Read More

Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.

Read More

Identifies messages appearing to come from Adobe Sign signature notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Adobe services while attempting to establish unauthorized communication channels.

Read More

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Read More

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

Read More

Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.

Read More

Identifies inbound messages containing a single-page PDF attachment related to voicemail or missed call notifications that includes either a URL or QR code.

Read More

Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.

Read More

Detects messages containing an open redirect in business.google.com's website_shared/launch_bw.html endpoint with the 'f' parameter. This has been exploited in phishing campaigns to redirect users to malicious sites.

Read More

Detects HTML or SVG files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within code comments.

Read More

Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.

Read More

Message contains use of the adnxs.com redirect with getuid parameter. This has been exploited in phishing campaigns to redirect users to malicious sites.

Read More

Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.

Read More

This rule inspects messages originating from legitimate Xodo Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Read More

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

Read More

This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Read More

Impersonation of the Mailgun Email delivery platform.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Read More

Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted.

Read More

Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.

Read More

This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.

Read More

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting SumUp's receipt email service.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

Read More

Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

Read More

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Read More

Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.

Read More

Impersonation of Netflix.

Read More

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

Read More

Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services

Read More

Detects messages from services that write the true sender to the reply-to field, where the sender has no prior legitimate message history and is newly registered. Indicative of service abuse.

Read More

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

Detects emails containing links using Linkedin '/slink?code=xxxxx' open redirect where the email has not come from Linkedin.com

Read More

The detection rule matches on message groups which make use of Microsoft Forms as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, URL shorteners or when visited are phishing pages, lead to a captcha or redirect to a top website.

Read More

Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Read More

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Read More

Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.

Read More

This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.

Read More

This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.

Read More

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

Read More

Message (or attached message) contains an image impersonating an Outlook attachment button.

Read More

Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages.

Read More

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Read More

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Read More

This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.

Read More

Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication.

Read More

The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.

Read More

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

Read More

DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.

Read More

DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.

Read More

This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.

Read More

Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.

Read More

This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.

Read More

DocuSign shares with new reply-to addresses have been seen in recent attacks.

Read More

Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.

Read More

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

Read More

Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.

Read More

Impersonation of Stripe, usually for credential theft.

Read More

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Read More

Impersonation of PayPal.

Read More

Impersonation of United Parcel Service (UPS).

Read More

This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.

Read More

Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.

Read More

This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.

Read More

Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name.

Read More

Impersonation of the expense management provider Navan.

Read More

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Read More

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

Read More

Message contains use of the whitefox.pl open redirect. This has been exploited in the wild.

Read More

Impersonation of the Quickbooks service from Intuit.

Read More

Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns.

Read More

A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature.

Read More

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Read More

Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders.

Read More

Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.

Read More

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Read More

A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

Read More

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

Message contains use of the mindmixer.com redirect. This has been exploited in the wild for phishing.

Read More

Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name.

Read More

This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.

Read More

Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.

Read More

Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.

Read More

Message contains use of the smore.com redirect. This has been exploited in the wild for phishing.

Read More

Message contains use of the cm.labcluster.com/go.aspx redirect. This has been exploited in the wild for phishing.

Read More

Message contains use of the tkqlhce.com redirect. This has been exploited in the wild for phishing.

Read More

This rule detects the use of Cartoon Network's Denmark domain as an open redirect.

Read More

Message contains use of the Bitrix24 redirect. This has been exploited in the wild for phishing.

Read More

Message contains use of the weblinkconnect.com open redirect, but the sender is not weblinkconnect.com. This has been exploited in the wild.

Read More

Message contains use of the agena-smile.com redirect with wptouch_switch parameter. This has been exploited in the wild for phishing.

Read More

Message contains use of the eaoko.org redirect. This has been exploited in the wild.

Read More

Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.

Read More

Detects messages containing amaterasu-for-website-5.com redirect links that use the url parameter to redirect users to malicious sites. This has been observed in phishing campaigns.

Read More

Detects messages containing buildingengines.com redirect links that use the _redirectTo parameter to redirect users to malicious sites. This has been observed in phishing campaigns.

Read More

Detects messages containing Obunsha's passnavi redirect service that can be exploited to redirect users to malicious sites. This has been used in phishing campaigns.

Read More

Message contains use of the Samsung open redirect, but the sender is not Samsung.

Read More

Detects links that contain a Shibboleth SSO logout endpoint with a return parameter, which could be used for open redirect attacks. The rule checks for both direct path inclusion and URL-encoded versions in query parameters. Only triggers on senders with non-common prevalence.

Read More

Message contains use of the shoppermeet.net redirect. This has been exploited in the wild for phishing.

Read More

This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.

Read More

Message contains use of the retailrocket.net open redirect. This has been exploited in the wild.

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Detects when a sender links to a Sharepoint file where the subdomain significantly differs from the sender's domain. The rule checks for OneNote, PDF, or unknown file types and includes various domain validation checks.

Read More

Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.

Read More

Impersonation of the shipping provider FedEx.

Read More

Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication.

Read More

Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.

Read More

Impersonation of LinkedIn.

Read More

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Read More

This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Read More

Detects job scam attempts by analyzing the message body text from an unsolicited sender.

Read More

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

Read More

This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware.

The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download

These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.

Read More

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware.

This technique has been used by known threat actors in the wild.

Read More

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.

Read More

Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns

Read More

This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.

Read More

This has been observed in the delivery of emails containing account/membership expiration lure themes of popular online services or delivery notifications.

Read More

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Read More

Impersonation of Twitter.

Read More

Identifies inbound messages from Recruitee domains containing recruitment-related topics and application links, where the sender has limited prior history. The URLs in these messages either point to recently registered domains or appear as standalone links with application-focused text.

Read More

This rule flags emails that reference invoices or payments but have suspicious characteristics: attachments are either missing or only images. It also checks for misleading links disguised as attachments and the presence of invoice-related keywords. The rule looks for potential credential theft or unusual requests, making it a strong indicator of phishing attempts.

Read More

The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.

Read More

Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation.

Read More

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

Impersonation of the cryptocurrency exchange Binance.

Read More

Detects inbound messages containing links where the sender impersonates MetaMask through display name manipulation and includes the MetaMask logo or suspicious language, while not being from legitimate MetaMask domains. The rule checks for credential theft patterns and validates sender authentication.

Read More

This rule detects Cross-Site Scripting (XSS) attempts within email subjects. It bypasses messages from highly trusted domains unless they fail authentication. However, the rule remains flexible, triggering even for trusted domains when emails are sent from Google Groups, ensuring thorough protection against potential threats while minimizing false positives.

Read More

Message contains use of the convertcart.com redirect. This has been exploited in the wild.

Read More

Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication.

Read More

Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Read More

Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number.

Read More

This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.

Read More

Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.

Read More

Detects inbound messages containing links where the sender impersonates Trust Wallet through display name manipulation and suspicious language, while not being from legitimate Trust Wallet domains. The rule checks for credential theft patterns and validates sender authentication.

Read More

Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters

Read More

This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.

Read More

Impersonating Wise Financial, an online banking platform.

Read More

This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders.

Read More

Impersonation of Charles Schwab & Co

Read More

This rule looks for password expiration verbiage in the subject and body. Requiring between 1 - 9 links, a short body, and NLU in addition to statically specified term anchors. High trust senders are also negated.

Read More

Message contains use of the vconfex.com redirect. This has been exploited in the wild.

Read More

Message contains use of the listing.ca redirect. This has been exploited in the wild.

Read More

Impersonation of the shipping provider DHL.

Read More

Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.

Read More

Message contains use of the museepicassoparis.fr open redirect. This has been exploited in the wild.

Read More

Message contains use of the radiopublic.com redirect. This has been exploited in the wild.

Read More

Message contains use of the api.spently.com redirect. This has been exploited in the wild.

Read More

Message contains use of the astroarts.co.jp redirect. This has been exploited in the wild.

Read More

Message contains use of the ijf.org redirect. This has been exploited in the wild.

Read More

Message contains use of the mail.spiceworks.com redirect. This has been exploited in the wild.

Read More

Message contains use of the embluemail.com redirect. This has been exploited in the wild.

Read More

Message contains use of the magiccity.ne.jp redirect. This has been exploited in the wild.

Read More

Message contains use of the bubblelife.com redirect. This has been exploited in the wild.

Read More

Message contains use of the magic4media.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the smartadserver.com redirect. This has been exploited in the wild.

Read More

Message contains use of the unitedwaynwvt.org open redirect. This has been exploited in the wild.

Read More

Impersonation of Hulu.

Read More

Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.

Read More

Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.

Read More

This rule identifies sender display names containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Read More

Message contains use of the sciencebuddies.org open redirect. This has been exploited in the wild.

Read More

Message contains use of the ssg-financial.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the social.bigpress.net open redirect. This has been exploited in the wild.

Read More

Message contains use of the shoppingwebapi.didatravel.com open redirect. This has been exploited in the wild.

Read More

Detects messages with HTML attachments containing multiple 'const' declarations while excluding legitimate Gmail messages. This is evidence of potential code injection or obfuscation techniques.

Read More

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

Read More

Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.

Read More

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Read More

This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.

Read More

Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.

Read More

Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators.

Read More

Message contains use of the plasticsurgery.or.kr open redirect. This has been exploited in the wild.

Read More

Message contains use of the k-mil.net open redirect. This has been exploited in the wild.

Read More

Message contains use of the predictiveresponse.net open redirect. This has been exploited in the wild.

Read More

This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.

Read More

Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.

Read More

Message contains use of the designsori.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the qrxtech.com open redirect. This has been exploited in the wild.

Read More

Message contains use of the eduyield redirect which chains google amp. This has been exploited in the wild.

Read More

Impersonation of the Canadian energy company Enbridge.

Read More

The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.

Read More

The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.

Read More

Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.

Read More

Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.

Read More

Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.

Read More

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Read More

Message contains use of a redirect chain which involves YouTube and Google amp. This has been exploited in the wild.

Read More

Message contains use of a redirect chain which involves Meta and YouTube. This has been exploited in the wild.

Read More

Impersonation of Wells Fargo Bank.

Read More

A file sharing link in the body sent from a suspicious sender domain.

Read More

Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing.

Read More