EXPLORE DETECTIONS
Attachment: SVG files with evasion elements
This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, hyperlinks, QR codes, or filenames that match recipient information. Limited to three attachments. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.
Attachment: TAR file with RAR type
Detects messages with TAR file extensions that are actually RAR file types. This mismatch between file extension and actual file type may indicate an evasion technique.
Attachment: Uncommon compressed file
Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.
Attachment: USDA bid invitation impersonation
Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.
Attachment: Web files with suspicious comments
Detects HTML or SVG files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within code comments.
Attachment: WinRAR CVE-2025-8088 exploitation
Detects attempts to exploit CVE-2025-8088 via attached RAR files
Attachment: XLSX file with suspicious print titles metadata
Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation.
Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).
Attachment: ZIP file with CVE-2026-0866 exploit
Detects ZIP attachments containing exploits targeting CVE-2026-0866 vulnerability through YARA signature matching.
BEC with unusual reply-to or return-path mismatch
Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.
BEC: Employee impersonation with subject manipulation
Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
BEC/Fraud: Generic scam attempt to undisclosed recipients
Detects potential generic scams by analyzing text within the email body and other suspicious signals.
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender.
BEC/Fraud: Penpal scam
This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities.
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply.
BEC/Fraud: Romance scam
This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.
BEC/Fraud: Scam lure with freemail pivot
This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.
BEC/Fraud: Student loan callback phishing
This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.
Benefits enrollment impersonation
Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.
Body HTML: Comment with 24-character hex token
Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.
Body HTML: Recipient SLD in HTML class
Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source.
Body: Embedded email headers indicative of thread hijacking/abuse
Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications.
Body: HTML whitespace stuffing with short initial message
Detects messages that uses HTML-based whitespace padding (repeated br tags, p-nbsp blocks, or div-br wrappers) to push content below the visible fold.