EXPLORE DETECTIONS
Link: Display text with excessive right-to-left mark characters
Detects links where the display text contains a high concentration of Unicode right-to-left mark characters (U+200F), which may be used to obfuscate or manipulate the visual representation of the link text to deceive recipients.
Link: Excessive URL rewrite encoders
Detects URLs with many (excessive) encoding patterns, including multiple instances of the same encoder or four or more distinct encoders. These techniques are commonly used to obfuscate malicious URLs and evade security filters.
Link: Executable file download with suspicious message content
Detects inbound messages containing links to executable files combined with high-confidence security, financial, or credential theft content indicators, while excluding legitimate trusted domains with proper DMARC authentication.
Link: Figma design deck with credential theft language
A single link to a Figma design deck that contains credential theft language. The message comes from either a new sender, one with previously detected malicious activity, or a known sender who has not been in contact for over 30 days and has no history of benign messages.
Link: File sharing impersonation with suspicious language and sending patterns
Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.
Link: File sharing pretext with suspicious body and link
Detects messages containing file sharing pretext with a single link to self-service creation platforms or URL shorteners, where the link display text matches the email subject and points to suspicious domains.
Link: Financial account issue with suspicious indicators
Detects messages to single recipients containing language about account or payment issues combined with suspicious links or high-confidence credential theft indicators related to financial communications.
Link: Flagged bit.ly link
Shortened link is blocked or gated by bit.ly. Indicator of malicious email.
Link: Free file host from freemail sender with NLU intent
Detects free file host links sent by freemail senders with a short body and NLU indicators.
Link: Free file hosting with undisclosed recipients
Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.
Link: Free subdomain host with undisclosed recipients
Detects messages with undisclosed recipients, containing links to free subdomain hosts
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Attackers invite users to view a Google Calendar whose name contains a suspicious link, generally linking to spam content such as crypto giveaways, using open redirects to mask the true destination.
Link: Google Cloud Storage impersonating with googledrive in URL path
Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with paths ending in 'googledrive.html', indicating abuse of Google's cloud storage service to impersonate Google Drive and potentially deliver malicious content.
Link: Google Cloud Storage with suspicious URL pattern
Detects inbound messages containing links to Google Cloud Storage (storage.googleapis.com) with suspicious URL path patterns that follow a specific actor-controlled structure commonly used for hosting malicious content.
Link: Google Drawings link from new sender
Detects messages containing Google Drawings links from previously unseen senders, which may indicate abuse of Google's drawing service for malicious content delivery.
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
An attacker may use Google's Firebase Dynamic Links to redirect a user to a malicious site. This rule identifies Firebase Dynamic Links where the destination domain is less than a week old.
Link: Google Forms link with credential theft language
Detects messages containing Google Forms links paired with credential theft language from new senders. This technique abuses Google's trusted domain to host malicious forms designed to steal user credentials.
Link: Google Translate (unsolicited)
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.
Link: GoPhish query param values
Detects links containing a 7-character alphanumeric 'rid' (default) query parameter, or any other variant identified, commonly used in tracking and targeting systems for malicious purposes.
Link: Hotel booking spoofed display URL
Detects messages containing links with hotel-related display URLs that either redirect to different domains or contain suspicious parameters commonly used in booking scams and fraudulent hotel reservation schemes.
Link: HR impersonation with suspicious domain indicators and credential theft
Detects messages impersonating HR departments containing many links with malformed domains, suspicious TLD patterns, and credential theft language detected through URL analysis.
Link: HTML file with suspicious binary fragment ending pattern
Detects links to HTML files containing fragments with a suspicious pattern of alphanumeric characters followed by a 5-digit binary sequence, commonly used in malicious URL structures.
Link: Intuit link abuse with file share context
Detects messages linking to Intuit notification domains from non-Intuit senders, combined with credential harvesting language and file sharing themes
Link: Invoice or receipt from freemail sender with customer service number
An email from a freemail sender which instructs the recipient to call a fraudulent customer service number.