Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender.

Attack impersonating Exodus Wallet.

Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.

Impersonation of Dropbox, a file sharing service.

Detects low reputation links with Microsoft specific indicators in the body.

Impersonation of PayPal.

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender.

Impersonation of the cryptocurrency exchange Binance.

Attack impersonating a DocuSign request for signature.

Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender.

Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.

This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.

A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.

A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.

Scans files to detect Norton (Lifelock|360|Security) impersonation.

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Impersonation of Github.

Impersonation of the Financial Industry Regulatory Authority (FINRA)

Attack impersonating hardware cryptocurrency wallet ledger.com's brand.

Impersonation of the shipping provider DHL.

Impersonation of Vanta.

Impersonation of Netflix.

Impersonation of the TurboTax service from Intuit. Most commonly seen around US tax season (Q1).

Impersonation of Blockchain[.]com, usually for credential theft.

Impersonation of Spotify.

Impersonation of Facebook.

Detects emails that impersonate Silicon Valley Bank

Attack impersonating Ripple cryptocurrency, potentially in the form of a giveaway scam.

Attack impersonating Stellar Development Foundation (SDF).

Impersonation of Twitter

Impersonation of the video conferencing provider Zoom. This "strict" version of this rule will only flag when the sender's display name matches those used by Zoom exactly.

Abuses Microsoft Forms to impersonate Google.

Possible attempt to impersonate Sublime Security executives.

Impersonation of Wells Fargo Bank.

Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)

Impersonation of the credit card provider American Express.

Impersonation of Apple.

Impersonation of Bank of America, usually for credential theft.

Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.

Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials or related information.

Impersonation of the cloud provider Digital Ocean.

Impersonation of the shipping provider FedEx.

Impersonation of LinkedIn.

Impersonation of the Microsoft brand.

Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.

Impersonation of ukr[.]net.

Originally reported by CERT-UA on 07 March, 2022, phishing emails impersonate ukr[.]net to steal user credentials. "Compromised mailboxes are used by the Russian Federation's special services to conduct cyber attacks on citizens of Ukraine."

Impersonation of United Parcel Service (UPS).

Impersonation of Venmo