EXPLORE DETECTIONS
Link: Microsoft impersonation using hosted png with suspicious link
Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
Link: Microsoft protected message with matching sender and recipient addresses
Detects when a user receives a protected message (RPMSG) with the to and from headers matching.
Link: Mixed case HTTPS protocol
Detects messages containing links with mixed case 'hTTPs' protocol, a technique used to evade detection filters.
Link: Multiple HTTP protocols in single URL
Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques.
Link: Multistage landing - Abused Adobe Acrobat hosted PDF
Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.
Link: Multistage landing - Abused Adobe frame.io
The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.
Link: Multistage Landing - Abused Buildin.ai
Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text.
Link: Multistage landing - Abused Docusign
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Link: Multistage landing - Abused Google Drive
The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.
Link: Multistage landing - ClickUp abuse
Detects ClickUp documents that contain external links to suspicious domains including new domains, free file hosts, URL shorteners, or links that redirect to phishing pages or contain captchas.
Link: Multistage landing - FreshDesk knowledge base abuse
Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains.
Link: Multistage landing - JotForm abuse
Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites.
Link: Multistage landing - Ludus presentation
Detects when a standalone Ludus document link contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the presentation content and linked destinations for suspicious patterns and redirects.
Link: Multistage landing - Microsoft Forms abuse
The detection rule matches on message groups which make use of Microsoft Forms as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, URL shorteners or when visited are phishing pages, lead to a captcha or redirect to a top website.
Link: Multistage landing - Published Google Doc
A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.
Link: Multistage landing - Scribd document
Detects when a Scribd document contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the document content and linked destinations for suspicious patterns and redirects.
Link: Multistage landing - Trello board abuse
Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders.
Link: MyActiveCampaign Link Abuse
Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains.
Link: Non-standard port 8443 in display URL
Detects links containing port 8443 in the display URL, which may indicate suspicious redirect or hosting infrastructure.
Link: Obfuscation via userinfo with excessive URL padding
Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.
Link: Obfuscation via userinfo with suspicious indicators
Detects URLs that use the @ symbol to hide suspicious domains or URL shorteners within the link structure, excluding legitimate email addresses and malformed mailto/telto links.
Link: PDF and financial display text to free file host
Detects messages containing a single link with PDF-named display text containing financial phrases that redirects to a free file hosting service, sent without previous message threads.
Link: PDF display text with fake copyright claim template
Detects messages containing fake copyright claims with table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting.
Link: PDF filename impersonation with credential theft language
Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.