EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

BEC/Fraud: Romance scam

This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.

T1566.002T1534T1656T1566T1598
Sublimemedium

BEC/Fraud: Scam lure with freemail pivot

This message detects BEC/Fraud lures attempting to solicit the victim to pivot out of band via a freemail address in the body.

T1566.002T1534T1656
Sublimelow

BEC/Fraud: Student loan callback phishing

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

T1566.002T1534T1656T1566T1598
Sublimemedium

BEC/Fraud: Unsolicited business acquisition offer

Detects inbound messages with subjects referencing an offer to purchase, combined with body content mentioning private equity, acquiring companies, or discussing an opportunity. These messages are characteristic of fraudulent or unsolicited business acquisition solicitations designed to engage targets in fraudulent financial dealings.

T1566.002T1534T1656T1566T1598
Sublimemedium

BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns

Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.

T1566.002T1534T1656T1566.003T1598+2
Sublimemedium

Benefits enrollment impersonation

Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication.

T1566T1566.001T1566.002T1598T1036+2
Sublimehigh

Body HTML: Comment with 24-character hex token

Detects messages containing HTML comments with exactly 24 hexadecimal characters, which may indicate tracking tokens, session identifiers, or other suspicious embedded data used for evasion or tracking purposes.

T1566T1036T1027
Sublimelow

Body HTML: Recipient SLD in HTML class

Detects when there is a single recipient within $org_domains where the domain SLD is concealed within HTML class attributes. The message comes from either an unauthenticated trusted sender or an untrusted source.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Body: Embedded email headers indicative of thread hijacking/abuse

Detects email headers embedded in the message body content, indicating forwarded phishing attempts, MIME boundary manipulation, delivery notification spoofing, or copy-paste phishing. This pattern is commonly seen when attackers forward legitimate emails and the headers get included in the body, or when spoofing system notifications.

T1566T1566.001T1566.002T1598T1534+3
Sublimemedium

Body: Fake secure email portal with HTML obfuscation

Detects inbound messages with empty subjects impersonating a secure email portal, identified through multiple indicators including hidden HTML characters used to obfuscate the sender address, recipient domain echoed back as a portal sender, template typos, or frozen tracking links associated with known secure messaging infrastructure abuse.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Body: HTML whitespace stuffing with short initial message

Detects messages that uses HTML-based whitespace padding (repeated br tags, p-nbsp blocks, or div-br wrappers) to push content below the visible fold.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Body: Invisible Unicode obfuscation student loan callback phishing

Detects messages containing clusters of Unicode zero-width and invisible characters (such as LRM, RLM, zero-width space, BOM, and directional isolates) interspersed within digit sequences and body content matching 'student loan' patterns. This technique is used to obscure text from security filters while remaining visually coherent to recipients.

T1566.002T1534T1656T1566T1566.001+3
Sublimemedium

Body: PayApp transaction reference pattern

Detects messages containing PayApp transaction reference numbers in a specific format (PayApp# followed by digits) in either the message body or subject line.

T1566.003T1598T1566.002T1534T1656+2
Sublimemedium

Body: Suspicious date format

Detects messages containing strage date formats observed in phishing emails.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Body: Suspicious table template fingerprint

Detects messages matching a specific HTML template fingerprint characterized by a table containing both 'Important' and 'Company' text nodes. This pattern is associated with a known malicious message template used to deceive recipients.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Body: Yellow highlighted text markers

Detects messages containing multiple HTML span elements with yellow background highlighting (rgb(255, 241, 0)) and data-markjs attributes, potentially indicating evasion techniques through visual markup manipulation.

T1566T1566.001T1566.002T1598T1534+3
Sublimelow

Brand impersonation: AARP

Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders.

T1566.002T1534T1656T1566T1566.001+2
Sublimemedium

Brand impersonation: Adobe (QR code)

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: Adobe Acrobat Sign PDF phishing file format template

Detects specific credential phishing PDF attachments that contain Adobe branding or Adobe Acrobat Sign text along with specific file format indicators, potentially indicating fraudulent documents impersonating legitimate Adobe services.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: Adobe Sign with suspicious indicators

Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: Adobe with suspicious language and link

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: ADP

Impersonation of the payroll provider ADP. Most commonly seen around US tax season (Q1)

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: AliExpress

Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.

T1566.003T1598T1566T1566.001T1566.002+1
Sublimemedium

Brand impersonation: Amazon

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

T1566T1566.001T1566.002T1598T1598.003
Sublimelow
PreviousPage 12 of 49Next