EXPLORE DETECTIONS
Link abuse: Self-service creation platform link with suspicious recipient behavior
Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations.
Link to a domain with punycode characters
The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.
Link to auto-download of a suspicious file type (unsolicited)
A link in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types. This rule also catches direct Google Drive download links (drive.google.com/uc?export=download) that automatically download archive files, as these are frequently abused by threat actors to distribute malware. This technique has been used by known threat actors in the wild.
Link to auto-downloaded disk image in encrypted zip
A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
Link to auto-downloaded DMG in archive
A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited.
Link to auto-downloaded DMG in encrypted zip
A link in the body of the message downloads an encrypted zip that contains a DMG file. This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware. Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.
Link to auto-downloaded file with Adobe branding
A link in the body of the email downloads a file from a site that uses Adobe branding as employed by threat actors, such as Qakbot.
Link to auto-downloaded file with Google Drive branding
A link in the body of the email downloads a file from a site that uses Google Drive branding as employed by threat actors, such as Qakbot.
Link to Google Apps Script macro (unsolicited)
Message contains a Google Apps Script macro link. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
Link to Google Apps Script macro via comment tagging
Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page.
Link: .onion From Unsolicited Sender
Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains.
Link: /index.php enclosed in three asterisks
Detects messages containing a specific pattern of triple asterisks surrounding HTTP links that point to PHP index pages with query parameters, indicating potential malicious behavior. This specific pattern has been observed within messages leading to FakeAV/Tech Support scams.
Link: 9WOLF phishkit initial landing URI
Detects links containing the '?ai=xd' query parameter associated with 9wolf phishing service initial landing pages.
Link: Abused Adobe Express
The detection rule matches on message groups which make use of Adobe Express as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Link: Adobe share from unsolicited sender
This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization.
Link: Adobe share with suspicious indicators
The detection rule matches messages sent from Adobe and contain indicators of malicious use. The indicators include observed call to action phrases, suspicious filenames, all capital filenames, the sender's display name (as determined by NLU) included in the comment section, or Microsoft branding on the shared link.
Link: Apple App Store link to apps impersonating AI adveristing
Detects messages containing links to Apple App Store apps that impersonate popular AI services (OpenAI, ChatGPT, Meta, Gemini) and are categorized as advertising or management tools offered for free.
Link: Apple App Store malicious ad manager themed apps from free email provider
Detects messages containing Apple App Store links with sent from free email providers, indicating potential abuse of legitimate Apple services hosting malicious ad manager themed applications.
Link: Apple TestFlight from suspicious sender
Detects messages containing Apple TestFlight links from free email providers or suspicious senders with no prior benign communication history.
Link: Base64 encoded recipient address in URL fragment with hex subdomain
Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection.
Link: Base64 encoded recipient address in URL fragment with subject hash
Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure.
Link: Blogspot hosting explicit romance content
Detects inbound messages containing links to Blogspot domains that host explicit romance content, identified through natural language processing of the message body.
Link: Breely link masquerading as PDF
Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes.
Link: chatbot.page platform abuse
Detects abuse of chatbot.page where configurations suggest malicious intent, including incomplete contact information, free-tier usage, and suspicious question content.