EXPLORE DETECTIONS
Cofense PhishMe phishing simulation
Identifies phishing simulations sent by Cofense PhishMe and excludes the message from live analysis.
Commonly abused sender TLD with engaging language
Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.
Compensation review with QR code in attached EML
Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.
Constant Contact link infrastructure abuse
Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing.
COVID-19 themed fraud with sender and reply-to mismatch or compensation award
Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance, compensation, or awards from mismatched senders and other suspicious language.
Credential phishing content and link (untrusted sender)
Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.
Credential phishing language and suspicious indicators (unknown sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
Credential phishing link (unknown sender)
Message contains a link to a credential phishing page from an unknown sender.
Credential Phishing via Dropbox comment abuse
This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.
Credential phishing: 'Secure message' and engaging language
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
Credential phishing: Blue button styled link with file-sharing template artifacts
Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains.
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.
Credential phishing: Email delivery failure impersonation
Detects phishing emails impersonating email system notifications claiming delivery failures, rejected messages, or email system issues requiring user action to 'fix' or 'recover' email functionality. These attacks typically claim incoming emails couldn't be delivered and direct users to malicious portals to harvest credentials.
Credential phishing: Engaging language and other indicators (untrusted sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
Credential phishing: Engaging language with IPFS link
Body contains credential theft indicators, and contains a link to an IPFS site. IPFS has been recently observed hosting phishing sites.
Credential phishing: Fake card notification with tracking lure
Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links.
Credential phishing: Fake password expiration from new and unsolicited sender
This rule looks for password expiration verbiage in the subject and body. Requiring between 1 - 9 links, a short body, and NLU in addition to statically specified term anchors. High trust senders are also negated.
Credential phishing: Fake storage alerts (unsolicited)
This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.
Credential phishing: Financial lure via ActiveCampaign infrastructure
Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification.
Credential phishing: Generic document share template
Detects messages that incorporate recipient-specific information (email domain, local part, or domain elements) alongside document-themed Unicode symbols and keywords. The rule identifies various targeting patterns including greeting-based personalization, attention-grabbing prefixes and multiple recipient elements. It also catches broken template attacks where recipient placeholders remain visible.
Credential phishing: Generic document sharing
Detects credential phishing attempts using generic document sharing language where the sender claims to have sent a document for review, but the link doesn't point to legitimate file sharing services.
Credential phishing: Hyper-linked image leading to free file host
This rule detects messages with short or null bodies, where all attachments are images, and the image is hyperlinking to a free_file_host from an unsolicited and untrusted sender.
Credential phishing: Image as content, short or no body contents
This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.
Credential phishing: Onedrive impersonation
This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.