EXPLORE DETECTIONS
Link: Personal SharePoint with invalid recipients and credential theft language
Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body.
Link: Personalized URL with recipient address on commonly abused web service
Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics.
Link: QR code in EML attachment with credential phishing indicators
This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect.
Link: QR code with phishing disposition in img or pdf
This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.
Link: QR Code with suspicious language (untrusted sender)
This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.
Link: QuickBooks image lure with suspicious link
This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.
Link: Recipient domain in URL path
This rule detects URL paths which contain the recipient SLD multiple times. This has been observed in multiple credential phishing campaigns with MFA enrollment themed lures.
Link: Recipient email address in 'eta' parameter
Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets.
Link: Referrer anonymization service from untrusted sender
Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.
Link: RFI document reference pattern in display text
Detects links with display text containing RFI (Request for Information) document reference patterns using format RFI-###-###-###, commonly used in construction and procurement fraud schemes.
Link: Romance/Sexual Language With Suspicious Link
Detects messages containing romantic or adult-themed language, combined with links to newly registered domains or suspicious reply-to addresses.
Link: ScreenConnect installer with suspicious relay domain
Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains.
Link: Scribd fullscreen link from suspicious sender
Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.
Link: Secure SharePoint file share from new or unusual sender
This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.
Link: Self-sender with sender org in subject and credential theft indicator
Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.
Link: Self-sent message with quarterly document review request
Detects messages sent from a user to themselves containing a link with quarterly indicators (q1_, q2_, q3_, q4_) and specific document review language requesting urgent feedback.
Link: SharePoint filename matches org name
Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations.
Link: SharePoint files shared from GoDaddy federated tenants
This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.
Link: SharePoint OneNote or PDF link with self sender behavior
Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes.
Link: Shortened URL with fragment matching subject
Detects messages containing shortened links where the URL fragment appears in the email subject line, indicating potential targeted link tracking or social engineering tactics.
Link: Spam website with evasion indicators
Detects messages containing links to spam websites that show signs of evasion techniques, including blocklisted IP provider messages or rate limiting responses when analyzed.
Link: Squarespace infrastructure abuse
Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns.
Link: Suspicious go.php redirect with document lure
Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts.
Link: Suspicious SharePoint document name
The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.