EXPLORE DETECTIONS
Encrypted Microsoft Office files from untrusted sender
Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear.
Extortion / sextortion (untrusted sender)
Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
Extortion / sextortion in attachment from untrusted sender
Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.
Fable Security phishing simulation
Identifies phishing simulations sent by Fable and excludes the message from live analysis.
Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Fake message thread - Untrusted sender with a mismatched freemail reply-to address
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address.
Fake message thread with a suspicious link and engaging language from an unknown sender
Detects fake message threads with suspicious links and financial request language
Fake request for tax preparation
Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.
Fake scan-to-email message
Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.
Fake shipping notification with link to free file hosting
This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
Fake shipping notification with suspicious language
Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.
Fake thread with suspicious indicators
Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.
Fake voicemail notification (untrusted sender)
This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.
Fake warning banner using confusable characters
Detects messages containing fake security banners that use visually similar characters to impersonate legitimate sender verification text, potentially to bypass security controls and deceive recipients.
Fake Zoho Sign template abuse
This rule captures credential phishing attempts abusing the Zoho Sign template. The rule looks for artifacts of the Hijacked Zoho link and other template constructs.
Fake Zoom meeting invite with suspicious link
Detects messages impersonating Zoom meetings that contain suspicious links not hosted on legitimate Zoom domains, with recipients hidden as 'Undisclosed recipients' or missing entirely. The rule identifies Zoom-related language while excluding legitimate Zoom communications and meeting summaries.
File sharing link from suspicious sender domain
A file sharing link in the body sent from a suspicious sender domain.
File sharing link with a suspicious subject
A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.
Firebase storage link
The message contains a Firebase storage link, which can be used to host malicious content.
Fleek.co storage link
The message contains a Fleek.co storage link, which can be used to host malicious content.
Fraudulent e-commerce operators
This attacker group engages in fraudulent activity by registering lookalike domains through Namecheap, often mimicking well-known brands by appending terms like LLC, LTD, Inc, or Corp. Their tactics involve sending fraudulent quote requests via Namecheap's private email service, followed by attempts to purchase goods on credit. These goods are routed through freight forwarders, typically bound for Western Africa. With increasing scrutiny on cash transactions to high-risk regions, they have shifted focus to acquiring goods. It is crucial to thoroughly validate any flagged messages and verify credit information before releasing products to these entities.
Fraudulent order confirmation/shipping notification from Chinese sender domain
Detects an order confirmation/shipping notification from a suspicious sender domain based in China. The order may be legitimately placed by the user, but the store is fraudulent and it is unlikely that their order will arrive. Links to these e-commerce sites have been observed in online advertising. We recommend enabling a custom warning banner to alert users and prompt them to contact their bank to recover their funds.
Free email provider sender with mismatched provider reply-to
Detects when a sender using a free email provider includes a reply-to address from a different free email provider, which is a common social engineering tactic.