EXPLORE DETECTIONS
Link: IPFS
Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.
Link: IPv4-mapped IPv6 address obfuscation
Detects links containing IPv4-mapped IPv6 addresses in the format [::ffff:xxxx:xxxx], commonly used to obfuscate malicious URLs and evade detection systems.
Link: JavaScript obfuscation with Telegram bot integration
Detects links containing obfuscated JavaScript code with embedded Telegram bot tokens or API references, indicating potential data exfiltration or command and control infrastructure.
Link: Jensi file preview link from unsolicited sender
This detection rule matches on messaging containing at least one link to app.jensi.io from an unsolicited sender. Jensi provides a free trail enabling users to create upload documents and preview PDFs within the browser as native HTML. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.
Link: Job recruitment lure from unsolicited sender with suspicious hosting
Message contains job recruitment language with links to suspicious hosting services including free file hosts, subdomain hosts, or URL shorteners from an unsolicited sender.
Link: Landing page with search-ms protocol redirect
Detects messages containing URL shortener links that redirect to search-ms protocol queries, which can be used to execute local file searches on Windows systems.
Link: Mamba 2FA phishing kit
Detects links containing base64-encoded parameters characteristic of the Mamba 2FA phishing kit, specifically looking for 'sv=o365' and '&uid=USER' patterns in redirect history.
Link: Microsoft device code authentication with suspicious indicators
Detects messages containing links with Microsoft device code authentication patterns, including verification prompts, copy code instructions, and suspicious API endpoints or antibot tokens commonly used in device code takeover attacks.
Link: Microsoft Dynamics 365 form phishing
Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
Link: Microsoft impersonation using hosted png with suspicious link
Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
Link: Microsoft protected message with matching sender and recipient addresses
Detects when a user receives a protected message (RPMSG) with the to and from headers matching.
Link: Mixed case HTTPS protocol
Detects messages containing links with mixed case 'hTTPs' protocol, a technique used to evade detection filters.
Link: Multiple HTTP protocols in single URL
Detects messages containing links with 5 or more HTTP protocol declarations within a single URL, indicating potential URL manipulation or obfuscation techniques.
Link: Multistage landing - Abused Adobe Acrobat hosted PDF
Detects an inbound message containing an Adobe Acrobat link that leads to a single page PDF document with suspicious indicators, including minimal text, brand logos, and document viewer language. The sender is not from Adobe.com and the message is not a reply.
Link: Multistage landing - Abused Adobe frame.io
The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics.
Link: Multistage Landing - Abused Buildin.ai
Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text.
Link: Multistage landing - Abused Docusign
The detection rule matches on message groups which make use of Docusign as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or rediret to a top website.
Link: Multistage landing - Abused Google Drive
The detection rule matches on message groups which make use of Google Drive as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a common website.
Link: Multistage landing - ClickUp abuse
Detects ClickUp documents that contain external links to suspicious domains including new domains, free file hosts, URL shorteners, or links that redirect to phishing pages or contain captchas.
Link: Multistage landing - FreshDesk knowledge base abuse
Detects messages containing links to Freshdesk support solution pages that redirect to external domains with credential theft language, excluding legitimate Freshworks domains and organizational domains.
Link: Multistage landing - JotForm abuse
Detects a disabled JotForm that contains suspicious elements like secured document messaging, cloned forms, or suspicious action words in form items. Also checks for human verification pages and embedded links to credential collection sites.
Link: Multistage landing - Ludus presentation
Detects when a standalone Ludus document link contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the presentation content and linked destinations for suspicious patterns and redirects.
Link: Multistage landing - Microsoft Forms abuse
The detection rule matches on message groups which make use of Microsoft Forms as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, URL shorteners or when visited are phishing pages, lead to a captcha or redirect to a top website.
Link: Multistage landing - Published Google Doc
A Google Docs document contains suspicious text and links that redirect to either newly registered domains, free subdomain hosts, URL shorteners, or domains with suspicious TLDs.