EXPLORE DETECTIONS
Huntress phishing simulation
Identifies phishing simulations sent by Huntress and excludes the message from live analysis.
Image as content with a link to an open redirect (unsolicited)
Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.
Impersonation using recipient domain (untrusted sender)
The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.
Impersonation: Chrome Web Store policy
Detects messages impersonating Chrome Web Store policy communications, including fake extension security alerts and policy acceptance requests. Messages using observed domains and specific HTML formatting patterns typical of this impersonation.
Impersonation: DMARC failure with high confidence credential theft intent
Detects DMARC failures and messages with a high confidence of credential theft
Impersonation: Executive using numbered local part
Detects messages from free email providers where the sender's email address uses a pattern commonly associated with executive impersonation, containing 'chair' or 'ceo' followed by numbers in the local part.
Impersonation: Fake Gmail attachment
Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.
Impersonation: Human Resources with link or attachment and engaging language
Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.
Impersonation: Internal corporate services
Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.
Impersonation: Legal firm with copyright infringement notice
Detects messages impersonating legal firms or copyright enforcement entities with extensive legal terminology, threatening language, and urgent compliance demands.
Impersonation: Recipient organization in sender display name with credential theft image
Sender display name contains the recipient's organization domain while the actual email address differs. Message includes a single image attachment with OCR-detected credential theft language referencing the recipient's domain, and has no body text.
Impersonation: Recipient SLD in sender's email address local part
The sender's email address local part contains the recipients SLD, the sender's domain is not a known org domain, and it's an untrusted sender.
Impersonation: Salesforce fake campaign failure notification
Detects messages impersonating Salesforce with urgent language about failed or cancelled campaigns, containing external links from first-time senders outside legitimate Salesforce domains.
Impersonation: SharePoint reply header anomaly
Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns
Impersonation: Social Security Administration (SSA)
Detects messages impersonating the Social Security Administration (SSA) that contain links, a suspicious indicator, and are sent from non-government domains by unsolicited or suspicious senders.
Impersonation: Suspected supplier impersonation with suspicious content
This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.
Inbound message from popular service via newly observed distribution list
Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.
Inline image as message with attachment or link
Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines. We've observed this technique used to deliver malware via attachments and phish credentials.
Invoice from freemail sender (unsolicited)
An invoice from a freemail sender your organization has never sent an email to before.
Invoicera infrastructure abuse
This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns.
Issuu document with suspicious embedded link
Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.
Job scam (unsolicited sender)
Detects job scam attempts by analyzing the message body text from an unsolicited sender.
Job scam with specific salary pattern
Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services.
KnowBe4 phishing simulation
Identifies phishing simulations sent by KnowBe4 and excludes the message from live analysis.