EXPLORE DETECTIONS
BEC/Fraud: Romance scam
This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.
BEC/Fraud: Scam lure with freemail pivot
This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.
BEC/Fraud: Student loan callback phishing
This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.
BEC/Fraud: Unsolicited business acquisition offer
Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings.
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.
Benefits enrollment impersonation
Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.
Body HTML: Comment with 24-character hex token
Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.
Body HTML: Recipient SLD in HTML class
Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source.
Body: Embedded email headers indicative of thread hijacking/abuse
Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications.
Body: Fake secure email portal with HTML obfuscation
Detects inbound messages with empty subjects impersonating a secure email portal, identified through multiple indicators including hidden HTML characters used to obfuscate the sender address, recipient domain echoed back as a portal sender, template typos, or frozen tracking links associated with known secure messaging infrastructure abuse.
Body: HTML whitespace stuffing with short initial message
Detects messages that uses HTML-based whitespace padding (repeated br tags, p-nbsp blocks, or div-br wrappers) to push content below the visible fold.
Body: Invisible Unicode obfuscation student loan callback phishing
Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients.
Body: PayApp transaction reference pattern
Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line.
Body: Suspicious date format
Detects messages containing strage date formats observed in phishing emails.
Body: Suspicious table template fingerprint
Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients.
Body: Yellow highlighted text markers
Detects messages containing multiple HTML span elements with yellow background highlighting (rgb(255, 241, 0)) and data-markjs attributes, potentially indicating evasion techniques through visual markup manipulation.
Brand impersonation: AARP
Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.
Brand impersonation: Adobe (QR code)
Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Brand impersonation: Adobe Acrobat Sign PDF phishing file format template
Detects specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services.
Brand impersonation: Adobe Sign with suspicious indicators
Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.
Brand impersonation: Adobe with suspicious language and link
Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.
Brand impersonation: ADP
Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)
Brand impersonation: AliExpress
Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.
Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)