EXPLORE DETECTIONS
Callback phishing via DocuSign comment
This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Callback phishing via e-signature service
Detects messages containing e-signature topics combined with tech support keywords and phone numbers. Message includes brand impersonation (PayPal, Norton, McAfee, etc.) and transaction-related language, with no attachments and reply-to addresses from free email providers.
Callback phishing via extensionless rfc822 attachment
This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators.
Callback phishing via Google Group abuse
A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list.
Callback phishing via Google Meet
Detects Google Meet invitations that include callback phishing content in the body, impersonating brands like McAfee, Norton, PayPal, or Best Buy with purchase-related language and phone numbers to solicit victim contact.
Callback phishing via Intuit service abuse
Callback phishing campaigns have been observed abusing Intuit Quickbooks services to send fraudulent invoices with callback phishing contents.
Callback phishing via Microsoft comment
Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks.
Callback Phishing via Signable E-Signature Request
This rule inspects messages originating from legitimate Signable infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Callback phishing via SignFree e-signature request
This rule inspects messages originating from legitimate SignFree infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Callback phishing via Xodo Sign comment
This rule inspects messages originating from legitimate Xodo Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Callback phishing via Yammer comment
Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line.
Callback phishing via Zelle Service Abuse
Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents.
Callback phishing via Zoho service abuse
Callback phishing campaigns have been observed abusing Zoho Invoice services to send fraudulent invoices with callback phishing contents.
Callback Phishing via Zoom comment
Detects callback scams sent through legitimate Zoom infrastructure that impersonate well-known brands like McAfee, Norton, or PayPal. These messages contain purchase or support-related language along with phone numbers, attempting to trick recipients into calling fraudulent support lines.
Callback phishing: AOL senders with suspicious HTML template or PDF attachment
Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks.
Callback phishing: Social Security Administration fraud
Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number.
Callback phishing: SumUp infrastructure abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting SumUp's receipt email service.
Callback scam: Impersonation via TimeTrade infrastructure
Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support.
Canva design with suspicious embedded link
Detects when a Canva design contains links to suspicious domains or credential harvesting sites. The rule examines embedded scripts within Canva documents for suspicious URLs and analyzes link text for malicious intent.
Canva infrastructure abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Canva's design sharing feature.
Catbox.moe link from untrusted source
Detects messages containing links to catbox.moe file hosting service from senders who either aren't in highly trusted domains or failed DMARC authentication
ClickFunnels link infrastructure abuse
Email contains a ClickFunnels (mass mailing platform) tracking link but does not originate from ClickFunnels sending infrastructure. The myclickfunnels.com domain has been abused by threat actors to attempt credential phishing.
Cloud storage impersonation with credential theft indicators
Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics.