EXPLORE DETECTIONS
Credential phishing: Re-Authentication lure
Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials.
Credential phishing: Suspicious e-sign agreement document notification
Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.
Credential Phishing: Suspicious language, link, recipients and other indicators
The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from an untrusted sender.
Credential phishing: Suspicious subject with urgent financial request and link
This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.
Credential phishing: Tax form impersonation with payment request
Detects messages impersonating tax-related communications that contain payment requests and PDF links, excluding legitimate tax service providers. The rule identifies tax terminology combined with payment solicitation language and PDF link references, which is a common pattern in tax season scams.
Credential Phishing: W-2 lure with inline SVG Windows logo
Detects inbound messages containing a link with W-2 display text and an inline SVG constructed from four colored rectangles approximating the Microsoft Windows logo. Threat actors use hand-crafted SVG elements rather than image attachments to bypass image-based detection and render a convincing Windows or Microsoft brand impersonation directly in the email body. The color matching uses fuzzy hex ranges to account for minor variations across campaigns.
Credential theft with 'safe content' deception and social engineering topics
Detects messages containing credential theft language combined with social engineering topics like secure messages, notifications, or authentication alerts. The rule specifically identifies emails that deceptively claim to be from a 'safe sender' or contain 'safe content' in the first line, which is a common tactic used to bypass security filters and gain user trust.
Credential theft: Gophish abuse with hidden tracking image
Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring.
Current event: CrowdStrike impersonation
Discovery rule for messages which are leveraging the CrowdStrike defect generated on Jul 19th 2024 which caused wide spread outages.
Cutt.ly hosting link
The message contains a Cutt.ly link, which can be used to host malicious content.
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document.
Cyrillic vowel substitution in subject or display name from unknown sender
This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.
Cyrillic vowel substitutions with suspicious subject from unknown sender
This rule detects unsolicited messages with between 1-9 links containing a suspicious subject as well as Cyrillic vowel substitutions detected in either the subject or the senders display name.
Deceptive Dropbox mention
Detects when a message mentions Dropbox but comes from non-Dropbox infrastructure, contains links to suspicious domains, shows discrepancies in sender identity, and contains language patterns associated with credential theft.
Display name and subject impersonation using recipient SLD (new sender)
The recipient domain's SLD is used in the sender's display name and in the subject to impersonate the organization.
Display Name Emoji with Financial Symbols
Detects messages where the sender's display name contains emoji characters alongside financial symbols ($ £ € ¥ ₿) in the subject line. The sender's domain is not present in the Alexa top 1 million sites and has DMARC authentication issues.
Display name impersonation using recipient SLD
The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.
Disposable sender email (unsolicited)
Sender is using a disposable email service and no one in our organization has ever sent them an email.
DocuSign impersonation via CloudHQ links
Identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name.
DocuSign impersonation via spoofed Intuit sender
Detects messages appearing to come from Intuit domains with authentication failures while masquerading as DocuSign communications. The sender fails either SPF or DMARC verification, and includes DocuSign branding in either the subject line or display name.
Domain impersonation: Freemail reply-to local lookalike with financial request
This technique takes advantage of the use of free email services for the reply-to address. By incorporating the sender domain in the local part of the reply-to address, the attacker creates a visually similar appearance to a legitimate email address.
EML attachment with credential theft language (unknown sender)
Identifies EML attachments that use credential theft language from unknown senders.
Employee impersonation with urgent request (untrusted sender)
Sender is using a display name that matches the display name of someone in your organization. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
Employee impersonation: Payroll fraud
This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.