The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within tags will display the fake domain but open the actual domain when clicked on.

Message contains use of McGill University's open redirect but the sender is not McGill University.

Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.

Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender.

Message contains use of the Ticketmaster open redirect, but the sender is not Ticketmaster. This has been exploited in the wild.

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule ensures at least a single link is present with either voicemail in the display name, body, subject or a combination of those elements with a medium to high credential theft NLU Intent from a first-time sender.

Detects low reputation links with Microsoft specific indicators in the body.

Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.

Message contains a link that uses a free subdomain provider, and has a login or captcha on the page.

Detects fake message threads with suspicious links and financial request language

Attached EML contains a link which uses language resembling credential phishing.

Attached EML uses engaging language and links to a file sharing or free subdomain link from an unsolicited sender.

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender.

Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain

Detects links in the body of an email where the linked domain is less than 10 days old from first-time senders.

Detects emails containing links to avast.com leveraging an open redirect

Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender.

Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.

HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.

Message contains a link to a credential phishing page from a first-time sender.

A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.

A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.

A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.

Looks for use of the YouTube open redirect coming from someone other than YouTube.

An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.

A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA.

Recursively explodes auto-downloaded files within archives to detect these file types.

This technique has been used by known threat actors in the wild.

An attacker may generate a user code and send it to a target mailbox. With an appropriate lure, the targeted user may action the device code login and provide an attacker with the means to take over their account.

This rule looks for the presence of the Microsoft device login portal link, as well as mentions of 'device code' or a 9 character alphanumeric device code value.

Message contains use of the Google Web Light domain for open redirect.

Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.

Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.

Message uses an MSN open redirect.

Sample (benign) redirect to sublimesecurity[.]com: https[:]//www[.]msn[.]com/en-gb/lifestyle/rf-best-products-uk/redirect?url=aHR0cHM6Ly93d3cuc3VibGltZXNlY3VyaXR5LmNvbQ==

A file sharing link in the body sent from a suspicious sender domain.

Malformed URL prefix is a technique used to evade email security scanners.

Message contains use of the Atdmt (Facebook) open redirect.

Message contains use of BMW USA's open redirect but the sender is not BMW.

Looks for use of the HHS open redirect.

Looks for use of the Panera Bread open redirect coming from someone other than Panera.

Message contains use of the Samsung open redirect, but the sender is not Samsung.

Message contains use of Slack's open redirect but the sender is not Slack.

Message contains use of the click.snapchat.com open redirect.

An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.

Message contains a suspicious Office 365 app authorization link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.