EXPLORE DETECTIONS
Attachment: Compensation review lure with QR code
Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.
Attachment: Credit card application with WhatsApp contact
Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud.
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444. On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows. According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.
Attachment: Decoy PDF author (Julie P.)
This detection rule matches on messages containing one or more Decoy PDF attachments with metadata discovered to have been assoicated with malicious email campaigns featuring CrowdStrike, DocuSign, Human Resource and password expiration lures.
Attachment: DocuSign impersonation via PDF linking to new domain
This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)
Attachment: DocX embedded binary
This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.
Attachment: DOCX with hyperlink targeting recipient address
Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.
Attachment: Double base64-encoded zip file in HTML smuggling attachment
Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
Attachment: Dropbox image lure with no Dropbox domains in links
Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.
Attachment: EICAR string present
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities. For performance reasons, this rule is limited to attachments with "eicar" in the file name.
Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Attachment: Embedded VBScript in MHT file (unsolicited)
MHT files can be used to run VBScript, which can run malicious code.
Attachment: EML containing a base64 encoded script
Attached EML contains a base64 encoded script in the message body.
Attachment: EML file contains HTML attachment with login portal indicators
Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
Attachment: EML file with HTML attachment (unsolicited)
Detects HTML files in EML attachments from unsolicited senders. Reduces attack surface against HTML smuggling.
Attachment: EML file with IPFS links
Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.
Attachment: EML with embedded Javascript in SVG file
Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Attachment: EML with Encrypted ZIP
Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.
Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Attachment: EML with QR code redirecting to Cloudflare challenges
Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse.
Attachment: EML with Sharepoint link likely unrelated to sender
Detects EML attachments containing SharePoint links where the subdomain differs significantly from the sender's domain, potentially indicating SharePoint impersonation or domain spoofing tactics.