EXPLORE DETECTIONS
Brand impersonation: DHL
Impersonation of the shipping provider DHL.
Brand impersonation: DigitalOcean
Impersonation of the cloud provider DigitalOcean.
Brand impersonation: Discord notification
Detects inbound messages that impersonate Discord's notification system through display name spoofing, domain lookalikes, or logo usage in attachments. The messages contain typical Discord-style notification language in the subject line while failing authentication checks.
Brand Impersonation: Disney
Detects messages from senders impersonating Disney through display name spoofing or brand logo usage, combined with security-themed content and suspicious authentication patterns.
Brand impersonation: DocSend
Attack impersonating DocSend.
Brand impersonation: DocuSign
Attack impersonating a DocuSign request for signature.
Brand impersonation: DocuSign (QR code)
Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Brand impersonation: DocuSign branded attachment lure with no DocuSign links
Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.
Brand impersonation: DocuSign PDF attachment with suspicious link
This rule detects DocuSign logos within PDF's that do not link to reputable domains, nor docusign themselves. This is typically indicative of Credential Phishing.
Brand impersonation: DocuSign with embedded QR code
This rule detects unsolicited messages with short bodies containing a DocuSign logo, QR code language and an embedded QR code.
Brand impersonation: DoorDash
Impersonation of the online food ordering and food delivery platform, DoorDash
Brand impersonation: Dotloop
Impersonation of Dotloop, a real estate transaction management platform.
Brand impersonation: Dropbox
Impersonation of Dropbox, a file sharing service.
Brand impersonation: Enbridge
Impersonation of the Canadian energy company Enbridge.
Brand impersonation: Evite
Detects messages impersonating Evite invitations by looking for invitation language while not originating from legitimate Evite domains.
Brand impersonation: Exodus
Attack impersonating Exodus Wallet.
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
Detects HTML table elements that mimick DocuSign templates linking to non-DocuSign destinations. The rule negates high trusted sender domains and legitimate replies.
Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies
Detects inbound PDF attachments impersonating well-known energy and industrial companies (Neste, TotalEnergies, Vattenfall, MOL Group, Unilever, Shell, Waldinger, Novo Nordisk) using fabricated procurement orders, requests for quotation, or supply chain solicitation documents. OCR is used to identify specific branding, addresses, and keywords embedded in these fraudulent PDF templates.
Brand impersonation: Fastway
Impersonation of Fastway Couriers, a delivery services company in Ireland and South Africa.
Brand impersonation: FedEx
Impersonation of the shipping provider FedEx.
Brand impersonation: Figma with malicious document access overlay
"Detects malicious Figma design shares containing brand impersonation or credential phishing content. The rule identifies legitimate Figma share notifications where the embedded thumbnail preview contains "access document" text when OCR'd. Attackers create phishing designs (impersonating Microsoft, DocuSign, or other brands) within Figma, then share them via Figma's legitimate infrastructure to bypass sender reputation checks. The malicious content is rendered in the Figma-hosted thumbnail image itself."
Brand impersonation: File sharing notification with template artifacts
Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line.
Brand impersonation: FINRA
Impersonation of the Financial Industry Regulatory Authority (FINRA)