EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Brand impersonation: DHL

Impersonation of the shipping provider DHL.

T1566T1566.001T1566.002T1598T1598.003+1
Sublimelow

Brand impersonation: DigitalOcean

Impersonation of the cloud provider DigitalOcean.

T1566T1566.001T1566.002T1598T1598.003+1
Sublimehigh

Brand impersonation: Discord notification

Detects inbound messages that impersonate Discord's notification system through display name spoofing, domain lookalikes, or logo usage in attachments. The messages contain typical Discord-style notification language in the subject line while failing authentication checks.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand Impersonation: Disney

Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: DocSend

Attack impersonating DocSend.

T1566T1566.001T1566.002T1598T1598.003+1
Sublimehigh

Brand impersonation: DocuSign

Attack impersonating a DocuSign request for signature.

T1566T1566.001T1566.002T1598T1598.003+1
Sublimehigh

Brand impersonation: DocuSign (QR code)

Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: DocuSign branded attachment lure with no DocuSign links

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: DocuSign PDF attachment with suspicious link

This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: DocuSign with embedded QR code

This rule detects unsolicited messages with short bodies containing a DocuSign logo, QR code language and an embedded QR code.

T1566T1566.001T1566.002T1598T1036+2
Sublimehigh

Brand impersonation: DoorDash

Impersonation of the online food ordering and food delivery platform, DoorDash

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: Dotloop

Impersonation of Dotloop, a real estate transaction management platform.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: Dropbox

Impersonation of Dropbox, a file sharing service.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: Enbridge

Impersonation of the Canadian energy company Enbridge.

T1566.002T1534T1656T1566T1566.001+2
Sublimemedium

Brand impersonation: Evite

Detects messages impersonating Evite invitations by looking for invitation language while not originating from legitimate Evite domains.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: Exodus

Attack impersonating Exodus Wallet.

T1566T1566.001T1566.002T1598T1598.003
Sublimelow

Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains

Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: Fake Fax

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies

Detects inbound PDF attachments impersonating well-known energy and industrial companies (Neste, TotalEnergies, Vattenfall, MOL Group, Unilever, Shell, Waldinger, Novo Nordisk) using fabricated procurement orders, requests for quotation, or supply chain solicitation documents. OCR is used to identify specific branding, addresses, and keywords embedded in these fraudulent PDF templates.

T1566.002T1534T1656T1598.003T1566+1
Sublimehigh

Brand impersonation: Fastway

Impersonation of Fastway Couriers, a delivery services company in Ireland and South Africa.

T1566T1566.001T1566.002T1598T1598.003+1
Sublimemedium

Brand impersonation: FedEx

Impersonation of the shipping provider FedEx.

T1566T1566.001T1566.002T1598T1598.003+1
Sublimelow

Brand impersonation: Figma with malicious document access overlay

"Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself."

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Brand impersonation: File sharing notification with template artifacts

Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line.

T1566T1566.001T1566.002T1598T1598.003+2
Sublimelow

Brand impersonation: FINRA

Impersonation of the Financial Industry Regulatory Authority (FINRA)

T1566T1566.001T1566.002T1598T1598.003+1
Sublimemedium
PreviousPage 14 of 49Next