EXPLORE DETECTIONS
Brand impersonation: Fastway
Impersonation of Fastway Couriers, a delivery services company in Ireland and South Africa.
Brand impersonation: FedEx
Impersonation of the shipping provider FedEx.
Brand impersonation: Figma with malicious document access overlay
"Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself."
Brand impersonation: File sharing notification with template artifacts
Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line.
Brand impersonation: FINRA
Impersonation of the Financial Industry Regulatory Authority (FINRA)
Brand Impersonation: Gemini Trust Company
Detects messages impersonating Gemini Trust Company through analysis of footer content, social media links, and address verification, excluding legitimate communications from authenticated Gemini domains.
Brand impersonation: Github
Impersonation of Github.
Brand impersonation: Github (sawfish campaign)
Impersonation of Github, potentially as part of the sawfish campaign, seeking to harvest Github credentials.
Brand impersonation: GitHub with callback scam indicators
Detects messages using GitHub's noreply address that contain callback scam language, brand impersonation tactics, or fraudulent purchase/payment content with phone numbers for victim contact.
Brand impersonation: GoDaddy
Detects messages where the sender is impersonating GoDaddy through display name manipulation or lookalike domains, while not being legitimately authenticated from GoDaddy's infrastructure.
Brand Impersonation: Google (QR Code)
Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Brand impersonation: Google Careers
Detects messages impersonating Google Careers or job opportunities in multiple languages that contain links to domains other than Google's legitimate domains, from senders not authenticated as Google.
Brand impersonation: Google Drive fake file share
This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains.
Brand impersonation: Google fake sign-in warning
Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
Brand impersonation: Google Meet with malicious link
Detects messages with 'Join with Google Meet' display text that redirects to domains other than meet.google.com.
Brand impersonation: Google using Microsoft Forms
Abuses Microsoft Forms to impersonate Google.
Brand impersonation: Google Workspace alert notification
Detects messages impersonating Google Workspace alert notifications that use Google branding elements, workspace-specific terminology, and admin console references, but originate from non-Google domains and contain suspicious links.
Brand impersonation: Greenvelope
Detects messages impersonating Greenvelope invitations not originating from legitimate Greenvelope domain.
Brand impersonation: Gusto
Impersonation of Gusto, a cloud-based payroll management company.
Brand impersonation: Hulu
Impersonation of Hulu.
Brand impersonation: Interac
Impersonation of the Canadian interbanking network Interac. Seen in the wild impersonating carbon tax rebates and tax return refunds.
Brand impersonation: Internal Revenue Service
Detects messages from senders posing as the Internal Revenue Service by checking display name similarity and content indicators from body text and screenshots. Excludes legitimate IRS domains and authenticated senders.
Brand impersonation: KnowBe4
Impersonation of KnowBe4.
Brand impersonation: LastPass
Detects messages impersonating the password manager LastPass that contain suspicious language about maintenance, vault exports, or master passwords.