EXPLORE DETECTIONS
Link: Flagged bit.ly link
Shortened link is blocked or gated by bit.ly. Indicator of malicious email.
Link: Free file host from freemail sender with NLU intent
Detects free file host links sent by freemail senders with a short body and NLU indicators.
Link: Free file hosting with undisclosed recipients
Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.
Link: Free subdomain host with undisclosed recipients
Detects messages with undisclosed recipients, containing links to free subdomain hosts
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Attackers invite users to view a Google Calendar whose name contains a suspicious link, generally linking to spam content such as crypto giveaways, using open redirects to mask the true destination.
Link: Google Drawings link from new sender
Detects messages containing Google Drawings links from previously unseen senders, which may indicate abuse of Google's drawing service for malicious content delivery.
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.
Link: Google Forms link with credential theft language
Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials.
Link: Google Translate (unsolicited)
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.
Link: GoPhish query param values
Detects links containing a 7-character alphanumeric 'rid' (default) query parameter, or any other variant identified, commonly used in tracking and targeting systems for malicious purposes.
Link: Hotel booking spoofed display URL
Detects messages containing links with hotel-related display URLs that either redirect to different domains or contain suspicious parameters commonly used in booking scams and fraudulent hotel reservation schemes.
Link: HR impersonation with suspicious domain indicators and credential theft
Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis.
Link: HTML file with suspicious binary fragment ending pattern
Detects links to HTML files containing fragments with a suspicious pattern of alphanumeric characters followed by a 5-digit binary sequence, commonly used in malicious URL structures.
Link: Intuit link abuse with file share context
Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes
Link: Invoice or receipt from freemail sender with customer service number
An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.
Link: IPFS
Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.
Link: IPv4-mapped IPv6 address obfuscation
Detects links containing IPv4-mapped IPv6 addresses in the format [::ffff:xxxx:xxxx], commonly used to obfuscate malicious URLs and evade detection systems.
Link: JavaScript obfuscation with Telegram bot integration
Detects links containing obfuscated JavaScript code with embedded Telegram bot tokens or API references, indicating potential data exfiltration or command and control infrastructure.
Link: Jensi file preview link from unsolicited sender
This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.
Link: Job recruitment lure from unsolicited sender with suspicious hosting
Message contains job recruitment language with links to suspicious hosting services including free file hosts, subdomain hosts, or URL shorteners from an unsolicited sender.
Link: Landing page with search-ms protocol redirect
Detects messages containing URL shortener links that redirect to search-ms protocol queries, which can be used to execute local file searches on Windows systems.
Link: Mamba 2FA phishing kit
Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.
Link: Microsoft device code authentication with suspicious indicators
Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.
Link: Microsoft Dynamics 365 form phishing
Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.