EXPLORE DETECTIONS
Brand impersonation: Amazon Web Services (AWS)
Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders.
Brand impersonation: Amazon with suspicious attachment
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Brand impersonation: American Express (AMEX)
Impersonation of the credit card provider American Express.
Brand impersonation: Apple
Impersonation of Apple.
Brand impersonation: Aquent
Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.
Brand impersonation: Aramco
Impersonation of the petroleum and natural gas company Saudi Aramco.
Brand impersonation: AuthentiSign
Detects messages impersonating AuthentiSign through display name, domain, subject, or body content that either originate from non-AuthentiSign or spoofed domains.
Brand impersonation: Automobile assistance associations
Detects messages impersonating automobile associations (AAA, CAA, RAC, etc.) offering vehicle emergency kits or roadside assistance services from untrusted senders.
Brand impersonation: Bank of America
Impersonation of Bank of America, usually for credential theft.
Brand impersonation: Barracuda Networks
Impersonation of Barracuda Networks, an IT security company.
Brand impersonation: Bids & Tenders
Detects links impersonating the Bids & Tenders platform. The rule identifies suspicious links from non-legitimate domains that load Bids & Tenders logo assets, suggesting the sender is spoofing the platform to appear legitimate.
Brand impersonation: Binance
Impersonation of the cryptocurrency exchange Binance.
Brand impersonation: Blockchain.com
Impersonation of Blockchain.com, usually for credential theft.
Brand impersonation: Booking.com
Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains.
Brand impersonation: Box file sharing service
Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain.
Brand impersonation: Canada Revenue Agency
Detects messages impersonating the Canada Revenue Agency (CRA) in English or French that contain credential theft indicators. The rule identifies senders claiming to be CRA through display names or subject line references, uses natural language understanding to detect credential theft intent, and excludes legitimate senders with proper authentication.
Brand impersonation: Capital One
This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders.
Brand impersonation: Charles Schwab
Impersonation of Charles Schwab & Co
Brand impersonation: Chase Bank
Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.
Brand impersonation: Chase bank with credential phishing indicators
This rule checks for messages with or without attachments leveraging the Chase logo, and LinkAnalysis or Natural Language Understanding(NLU) has flagged credential phishing with medium to high confidence. The rule also excludes messages where all links are Chase affiliates, in addition to negating high trust sender root domains.
Brand impersonation: Cloud services with credential theft intent
Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.
Brand impersonation: Coinbase
Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials or related information.
Brand impersonation: Coinbase with suspicious links
Detects messages impersonating Coinbase with low reputation or url shortened links.
Brand impersonation: Dashlane
Impersonation of the password management software Dashlane.