EXPLORE DETECTIONS
Generic service abuse from newly registered domain
Detects messages from services that write the true sender to the reply-to field, where the sender has no prior legitimate message history and is newly registered. Indicative of service abuse.
Google Accelerated Mobile Pages (AMP) abuse
This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish between legitimate Google AMP pages and potential malicious usage.
Google Drive abuse: Credential phishing link
This rule detects legitimate Google Drive shares that link to files on Google Drive that host credential phishing content. The file is usually a PDF that impersonates a legitimate brand, with credential theft language, and a button or link to an external site that steals login credentials.
Google Drive direct download link from unsolicited sender
This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware. The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.
Google Notification alert link from non-Google sender
This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.
Google presentation open redirect phishing
Detects emails containing links to Google Document Presentations that either have a single page with a single external link, have been removed for Terms of Service violations, or have been deleted.
Google services using g.co shortlinks
Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.
Google share notification with suspicious comments
This detection rule matches on messages which contain suspicious language within the comments of a Google share notification. Suspicious content within the comments section of the notification is deemed as email abbreviations such as FW:, FWD:, and RE: or by containing words that reference a file share.
Hardbacon infrastructure abuse
Hardbacon is a defunct Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages.
Headers: Fake in-reply-to with wildcard sender and missing thread context
Detects messages claiming to be replies with In-Reply-To headers but lacking previous thread context, sent from addresses containing multiple wildcard characters in the local part.
Headers: Invalid recipient domain with mismatched reply-to from new sender
Message sent to an invalid recipient domain with a reply-to address that differs from the sender address, originating from a new sender.
Headers: iOS/iPadOS mailer with invalid build number
Detects emails claiming to be sent from an iOS or iPadOS device that contain an invalid build number.
Headers: Outlook Express mailer
Detects emails claiming to be sent from Outlook Express, which is a legacy email client that is no longer supported or commonly used.
Headers: risky-recover-production message ID
Detects messages containing 'risky-recover-production' in the message ID header, which may indicate suspicious or malicious activity.
Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
Detects messages sent to self or invalid domains containing credential theft content that bypass Microsoft's CompAuth while failing both SPF and DMARC authentication checks.
Headers: System account impersonation with empty sender address
Detects messages with an empty sender email address and a display name impersonating system accounts like mailer-daemon, postmaster, or administrator, but lacking legitimate bounce back content as determined by natural language processing.
Headers: X-Source-Auth mismatch with mismatched reply-to domain
Detects messages where the X-Source-Auth header value doesn't match the sender's email address and the reply-to domain differs from the sender's domain, indicating potential sender spoofing or impersonation.
Headers: Zimbra mailer from a non-supported OS version
Detects Zimbra originated emails sent from non-supported Windows versions. Observed in widespread HTML credential phishing campaigns.
Honorific greeting BEC attempt with sender and reply-to mismatch
Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.
HoxHunt phishing simulation
Identifies phishing simulations sent by HoxHunt and excludes the message from live analysis.
HR impersonation via e-sign agreement comment
This rule inspects messages originating from legitimate e-signature platform infrastructure, with engaging language in the body that matches HR Impersonation criteria.
HTML smuggling containing recipient email address
HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.
HTML smuggling with atob in message body
Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing.
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Body HTML contains multiple instances of right-to-left (RTL) text direction override markup, which can be used to visually manipulate text display and potentially bypass common strings checks.