EXPLORE DETECTIONS
Link: Common hidden directory observed
Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.
Link: Commonly Abused Web Service redirecting to ZIP file
Detects messages containing links from URL shorteners, free file hosts, or suspicious domains that redirect to ZIP file downloads, potentially indicating malware distribution.
Link: Credential phishing link with undisclosed recipients
This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.
Link: Credential phishing traversing Russian infrastructure
This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.
Link: Credential phishing via WordPress
Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages.
Link: Credential theft with invisible Unicode character in page title from unsolicited sender
Detects messages containing credential theft language and links to pages with invisible Unicode characters in the title tag, a technique commonly used to evade detection in fraudulent pages.
Link: Cryptocurrency fraud with suspicious links
Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication.
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE. Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."
Link: Direct download of executable file
Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites.
Link: Direct link to gamma.app document with mode parameter
Detects URLs linking to Gamma App presentation or document mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities.
Link: Direct link to keap.app contact-us page
Detects URLs linking to Keap App contact us, which has been used to host malicious content due to its trusted domain status and product capabilities
Link: Direct link to limewire hosted file
Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body.
Link: Direct link to riddle.com hosted showcase
Message contains a single link to a Riddle.com hosted showcase which has been observed abused for credential phishing landing
Link: Direct link to Zoom Docs from non-Zoom sender
Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization
Link: Direct MSI download from low reputation domain
Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain.
Link: Direct POWR.io Form Builder with suspicious patterns
Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains.
Link: Display text matches subject line
Message with short body text contains a single link where the display text matches the subject line. The link is deceptive and the recipient patterns are unusual, such as the recipient's address appearing in the body or undisclosed recipients being used.
Link: Display text with excessive right-to-left mark characters
Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.
Link: Excessive URL rewrite encoders
Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.
Link: Executable file download with suspicious message content
Detects inbound messages containing links to executable files combined with high-confidence security, financial, or credential theft content indicators, while excluding legitimate trusted domains with proper DMARC authentication.
Link: Figma design deck with credential theft language
A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages.
Link: File sharing impersonation with suspicious language and sending patterns
Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.
Link: File sharing pretext with suspicious body and link
Detects messages containing file sharing pretext with a single link to self-service creation platforms or URL shorteners, where the link display text matches the email subject and points to suspicious domains.
Link: Financial account issue with suspicious indicators
Detects messages to single recipients containing language about account or payment issues combined with suspicious links or high-confidence credential theft indicators related to financial communications.