This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified. The reply-to address does not match the sender, and is a freemail with no links in the body. This a common combination of techniques used by low level BEC threats.

Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.

Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain

Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.

The return-path header is a .ru TLD and first-time sender.

The message originates from an onmicrosoft.com email address being sent via Sendgrid.

The message may contain a fake voicemail notification being sent via Sendgrid.

Attackers can spoof domains that have no MX/SPF records, resulting in a DNS timeout. In O365 this fails closed (goes to spam), but in Gmail this fails open (lands in the inbox) and shows a red padlock Reproduce on Ubuntu 18.04: echo "test" | mail -s "Test" user@gmail.com -a"From: Support support@nomxdomain.com" Example headers: Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com