EXPLORE DETECTIONS
Brand impersonation: Okta
Impersonation of Okta, an identity and access management company.
Brand impersonation: OpenAI with payment issues
Detects messages impersonating OpenAI or ChatGPT with payment-related content such as subscription cancellation, payment failures, or billing updates from non-OpenAI domains.
Brand impersonation: Outlook
Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.
Brand impersonation: Paperless Post
Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication.
Brand Impersonation: PayPal
Impersonation of PayPal.
Brand impersonation: PNC
Impersonation of PNC Financial Services
Brand Impersonation: Procore
Detects messages containing Procore branding language that do not originate from legitimate Procore domains. This has been observed in phishing campaigns.
Brand impersonation: Proofpoint secure messaging without legitimate indicators
Detects messages impersonating Proofpoint secure messaging services that contain Proofpoint branding text but lack legitimate Proofpoint secure sharing URIs or authentic attachment indicators, suggesting fraudulent use of the brand.
Brand impersonation: Punchbowl
Detects messages impersonating Punchbowl invitations not originating from legitimate Punchbowl domain.
Brand impersonation: Purdue ePlanroom with suspicious links
Detects messages impersonating Purdue ePlanroom with links that either not from the legitimate reprographix.com domain or contain suspicious credential theft indicators.
Brand impersonation: Quickbooks
Impersonation of the Quickbooks service from Intuit.
Brand impersonation: QuickBooks notification from Intuit themed company name
This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.
Brand impersonation: Ripple
Attack impersonating Ripple cryptocurrency, potentially in the form of a giveaway scam.
Brand impersonation: Robert Half
Detects messages impersonating Robert Half, a staffing and recruiting company, by analyzing sender display names, logo detection in message screenshots, and specific company address references in the message body. The rule flags messages from senders not authenticated from legitimate Robert Half domains.
Brand impersonation: Robinhood
Detects messages impersonating Robinhood by analyzing sender display name, domain, body content including specific address references, and social media links, while excluding legitimate Robinhood communications with proper DMARC authentication.
Brand impersonation: SendGrid
Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.
Brand Impersonation: ShareFile
This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.
Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Brand impersonation: Sharepoint fake file share
This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.
Brand impersonation: SharePoint PDF attachment with credential theft language
PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications.
Brand Impersonation: Shein
Detects suspicious Shein-branded communications using display name impersonation, logo detection, and deceptive content analysis. Includes checks for security/authentication topics, secure messages, notifications, and promotional content like fake surveys or giveaways. Excludes legitimate Shein domains with proper authentication and known trusted senders.
Brand impersonation: Silicon Valley Bank
Detects emails that impersonate Silicon Valley Bank
Brand impersonation: SiriusXM
Impersonation of the broadcasting corporation SiriusXM.
Brand Impersonation: Social Security Administration (SSA)
Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.