EXPLORE DETECTIONS
Brand impersonation: Ledger
Attack impersonating hardware cryptocurrency wallet ledger.com's brand.
Brand impersonation: LinkedIn
Impersonation of LinkedIn.
Brand impersonation: Mailchimp
Detects messages from senders impersonating Mailchimp through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.
Brand impersonation: Mailgun
Impersonation of the Mailgun Email delivery platform.
Brand impersonation: Marriott with gift language
Detects messages impersonating Marriott brand that contain gift-related language such as 'appreciation gift', 'thank you gift', or 'something special' from senders not associated with legitimate Marriott domains.
Brand impersonation: McAfee
Detects messages impersonating McAfee through display name, subject line, body content, or NLU entity detection when the sender is not from verified McAfee domains or other high-trust domains with valid DMARC authentication.
Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Brand impersonation: MetaMask
Detects inbound messages containing links where the sender impersonates MetaMask through display name manipulation and includes the MetaMask logo or suspicious language, while not being from legitimate MetaMask domains. The rule checks for credential theft patterns and validates sender authentication.
Brand impersonation: Microsoft
Impersonation of the Microsoft brand.
Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Brand impersonation: Microsoft fake sign-in alert
Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
A message containing a Microsoft logo generated using HTML tables and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
Brand impersonation: Microsoft logo or suspicious language with open redirect
Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.
Brand impersonation: Microsoft Planner with suspicious link
Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.
Brand impersonation: Microsoft quarantine release notification in body
Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft.
Brand impersonation: Microsoft quarantine release notification in image attachment
Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
Brand impersonation: Microsoft Teams
Impersonation of a Microsoft Teams message.
Brand impersonation: Microsoft Teams invitation
Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.
Brand impersonation: Microsoft with embedded logo and credential theft language
This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.
Brand impersonation: Microsoft with low reputation links
Detects low reputation links with Microsoft specific indicators in the body.
Brand impersonation: Navan
Impersonation of the expense management provider Navan.
Brand impersonation: Netflix
Impersonation of Netflix.
Brand impersonation: Norton
Scans files to detect Norton (Lifelock|360|Security) impersonation.
Brand impersonation: Office 365 mail service
Detects messages from domains containing both 'o365' and 'mail' in the second-level domain, commonly used to impersonate legitimate Microsoft Office 365 mail services.