EXPLORE DETECTIONS
Body: PayApp transaction reference pattern
Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line.
Body: Suspicious date format
Detects messages containing strage date formats observed in phishing emails.
Brand impersonation: AARP
Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.
Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Brand impersonation: Adobe Sign with suspicious indicators
Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.
Brand impersonation: Adobe with suspicious language and link
Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.
Brand impersonation: ADP
Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
Brand impersonation: AliExpress
Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.
Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Brand impersonation: Amazon Web Services (AWS)
Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders.
Brand impersonation: Amazon with suspicious attachment
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Brand impersonation: American Express (AMEX)
Impersonation of the credit card provider American Express.
Brand impersonation: Apple
Impersonation of Apple.
Brand impersonation: Aquent
Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.
Brand impersonation: Aramco
Impersonation of the petroleum and natural gas company Saudi Aramco.
Brand impersonation: AuthentiSign
Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains.
Brand impersonation: Automobile assistance associations
Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders.
Brand impersonation: Bank of America
Impersonation of Bank of America, usually for credential theft.
Brand impersonation: Barracuda Networks
Impersonation of Barracuda Networks, an IT security company.
Brand impersonation: Binance
Impersonation of the cryptocurrency exchange Binance.
Brand impersonation: Blockchain[.]com
Impersonation of Blockchain[.]com, usually for credential theft.
Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Brand impersonation: Box file sharing service
Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain.
Brand impersonation: Capital One
This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders.