EXPLORE DETECTIONS
Brand impersonation: Venmo
Impersonation of Venmo
Brand impersonation: Wells Fargo
Impersonation of Wells Fargo Bank.
Brand impersonation: WeTransfer
Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication.
Brand impersonation: Wise
Impersonating Wise Financial, an online banking platform.
Brand impersonation: Wix
Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders.
Brand impersonation: Xodo Sign
Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication.
Brand impersonation: Zoom
Detects messages impersonating Zoom through social footers, webinar links, and suspicious domain pattern matching. The rule looks for specific combinations of social media links, redirects, and content analysis to identify inauthentic Zoom-branded messages not originating from legitimate Zoom domains.
Brand impersonation: Zoom (strict)
Impersonation of the video conferencing provider Zoom. This "strict" version of this rule will only flag when the sender's display name matches those used by Zoom exactly.
Brand impersonation: Zoom via HTML styling
Detects messages impersonating Zoom by identifying HTML table cells with specific blue styling (rgb(11,92,255)) containing Zoom branding in header elements.
Brand impersonation: Zoom via lookalike domain
Message contains a single link which attempts to spoof a 'zoom' link, sent from a free email provider to a single recipient.
Brand impersonation: Zoom with deceptive link display
Detects messages mentioning Zoom in the subject or body that contain links appearing to go to zoom.us but actually redirect to different domains.
Brand spoof: Dropbox
Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.
BullPhish ID phishing simulation
Identifies phishing simulations sent by BullPhish ID and excludes the message from live analysis.
Business Email Compromise (BEC) attempt from unsolicited sender
Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
Business Email Compromise (BEC) attempt from untrusted sender
Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.
Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
Detects potential Business Email Compromise (BEC) attacks by searching for common French BEC language within the email body from first-time senders.
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified. The reply-to address does not match the sender, and is a freemail with no links in the body. This a common combination of techniques used by low level BEC threats.
Business Email Compromise (BEC) with request for mobile number
This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.
Business Email Compromise: Request for mobile number via reply thread hijacking
This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects.
Callback phishing in body or attachment (untrusted sender)
Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
Callback phishing solicitation in message body
A fraudulent invoice/receipt found in the body of the message. Callback phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Callback phishing via Adobe Sign comment
This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Callback phishing via Apple ID display name abuse
Detects callback phishing that abuses legitimate Apple ID notification emails as a delivery mechanism. The threat actor sets their Apple ID display name to a callback scam lure (e.g., a fake charge with a phone number), which Apple then embeds in the "Dear [name]" greeting of a routine account change notification. This legitimate email is forwarded to multiple targets via a distribution list, bypassing sender reputation checks since it originates from Apple's real infrastructure. The rule extracts the name field from the greeting and applies NLU classification to detect callback scam language within it.
Callback phishing via calendar invite
Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.