EXPLORE DETECTIONS
Link: Base64 encoded recipient address in URL fragment with hex subdomain
Detects links containing a 40-character hexadecimal subdomain with the recipient's email address base64 encoded in the URL fragment, a technique used to personalize malicious links and evade detection.
Link: Base64 encoded recipient address in URL fragment with subject hash
Detects messages containing an alphanumeric string that is between 32 and 64 characters in the subject line that corresponds to a URL fragment containing the recipient's email address encoded in base64. This technique is commonly used to personalize malicious links and evade detection by embedding the target's email address within the URL structure.
Link: BEC with newly registered domains and financial keywords
Detects Business Email Compromise attacks containing links to newly registered domains (less than 60 days old) with invoice-related language and engaging action words. The message includes financial or payment terminology and prompts the recipient to take action through suspicious links. Uses natural language processing to identify credential theft or BEC intent while filtering out benign communications.
Link: Blogspot hosting explicit romance content
Detects inbound messages containing links to Blogspot domains that host explicit romance content, identified through natural language processing of the message body.
Link: Breely link masquerading as PDF
Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes.
Link: chatbot.page platform abuse
Detects abuse of chatbot.page where configurations suggest malicious intent, including incomplete contact information, free-tier usage, and suspicious question content.
Link: Common hidden directory observed
Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.
Link: Commonly Abused Web Service redirecting to ZIP file
Detects messages containing links from URL shorteners, free file hosts, or suspicious domains that redirect to ZIP file downloads, potentially indicating malware distribution.
Link: Credential harvesting with excess padding evasion
Detects inbound messages containing credential-related action links with tall screenshot images and HTML padding techniques used to evade detection. The rule identifies messages with excessive empty div tags, non-breaking spaces, or large margin-top values that artificially increase content height while hiding malicious intent.
Link: Credential phishing link with undisclosed recipients
This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.
Link: Credential phishing traversing Russian infrastructure
This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.
Link: Credential phishing via WordPress
Detects when non-WordPress senders link to suspended or malicious WordPress blog sites, commonly used to redirect users to credential harvesting pages.
Link: Credential theft with invisible Unicode character in page title from unsolicited sender
Detects messages containing credential theft language and links to pages with invisible Unicode characters in the title tag, a technique commonly used to evade detection in fraudulent pages.
Link: Cryptocurrency fraud with suspicious links
Detects messages containing financial communications about cryptocurrency or bitcoin with links to suspicious domains, URL shorteners, newly registered domains, or domains with known cryptocurrency fraud indicators. The rule analyzes link behavior including redirects, specific abuse patterns, and JavaScript configurations commonly used in cryptocurrency scams. Excludes legitimate cryptocurrency platforms with proper authentication.
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE. Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."
Link: Direct download of executable file
Detects messages containing links that directly download executable (.exe) files, with a limited number of distinct links that are either unrelated to the sender's domain or not in the top 10k most popular websites.
Link: Direct link to gamma.app document with mode parameter
Detects URLs linking to Gamma App presentation or document mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities.
Link: Direct link to keap.app contact-us page
Detects URLs linking to Keap App contact us, which has been used to host malicious content due to its trusted domain status and product capabilities
Link: Direct link to limewire hosted file
Message contains exactly one link to limewire.com domain with fewer than 10 total links in the body.
Link: Direct link to riddle.com hosted showcase
Message contains a single link to a Riddle.com hosted showcase which has been observed abused for credential phishing landing
Link: Direct link to Zoom Docs from non-Zoom sender
Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization
Link: Direct MSI download from low reputation domain
Detects messages containing links that directly download MSI files from domains not in the top 10k trusted sites and unrelated to the sender's domain.
Link: Direct POWR.io Form Builder with suspicious patterns
Detects POWR.io forms with suspicious characteristics including unverified creators, cross-domain redirects, suspended accounts, or form owners from African time zones that don't match sender domains.
Link: Display text matches subject line
Message with short body text contains a single link where the display text matches the subject line. The link is deceptive and the recipient patterns are unusual, such as the recipient's address appearing in the body or undisclosed recipients being used.