EXPLORE DETECTIONS
Brand impersonation: Microsoft with low reputation links
Detects low reputation links with Microsoft specific indicators in the body.
Brand impersonation: Navan
Impersonation of the expense management provider Navan.
Brand impersonation: Netflix
Impersonation of Netflix.
Brand impersonation: Norton
Scans files to detect Norton (Lifelock|360|Security) impersonation.
Brand impersonation: Office 365 mail service
Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.
Brand impersonation: Okta
Impersonation of Okta, an identity and access management company.
Brand impersonation: Outlook
Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.
Brand impersonation: Paperless Post
Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication.
Brand Impersonation: PayPal
Impersonation of PayPal.
Brand impersonation: PNC
Impersonation of PNC Financial Services
Brand Impersonation: Procore
Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.
Brand impersonation: Proofpoint secure messaging without legitimate indicators
Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.
Brand impersonation: Punchbowl
Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.
Brand impersonation: Purdue ePlanroom with suspicious links
Detects messages impersonating Purdue ePlanroom with links that either not from the legitimate reprographix.com domain or contain suspicious credential theft indicators.
Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Brand impersonation: QuickBooks notification from Intuit themed company name
This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.
Brand impersonation: Ripple
Attack impersonating Ripple cryptocurrency, potentially in the form of a giveaway scam.
Brand impersonation: Robert Half
Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains.
Brand impersonation: Robinhood
Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication.
Brand impersonation: SendGrid
Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.
Brand Impersonation: ShareFile
This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.
Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Brand impersonation: Sharepoint fake file share
This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.
Brand impersonation: SharePoint PDF attachment with credential theft language
PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications.