EXPLORE DETECTIONS
BEC/Fraud: Romance scam
This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.
BEC/Fraud: Scam lure with freemail pivot
This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.
BEC/Fraud: Student loan callback phishing
This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.
Benefits enrollment impersonation
Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.
Body HTML: Comment with 24-character hex token
Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.
Body HTML: Recipient SLD in HTML class
Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source.
Body: Embedded email headers indicative of thread hijacking/abuse
Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications.
Body: PayApp transaction reference pattern
Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line.
Brand impersonation: AARP
Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.
Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Brand impersonation: Adobe Sign with suspicious indicators
Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.
Brand impersonation: Adobe with suspicious language and link
Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.
Brand impersonation: ADP
Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
Brand impersonation: AliExpress
Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.
Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Brand impersonation: Amazon Web Services (AWS)
Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders.
Brand impersonation: Amazon with suspicious attachment
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Brand impersonation: American Express (AMEX)
Impersonation of the credit card provider American Express.
Brand impersonation: Apple
Impersonation of Apple.
Brand impersonation: Aquent
Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.
Brand impersonation: Aramco
Impersonation of the petroleum and natural gas company Saudi Aramco.
Brand impersonation: AuthentiSign
Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains.
Brand impersonation: Bank of America
Impersonation of Bank of America, usually for credential theft.