EXPLORE DETECTIONS
Link: Multistage landing - Scribd document
Detects when a Scribd document contains embedded links that are suspicious, particularly those targeting Microsoft services through various evasion techniques. The rule analyzes both the document content and linked destinations for suspicious patterns and redirects.
Link: Multistage landing - Trello board abuse
Detects suspicious Trello board links containing malicious indicators such as credential theft content, blocked users, malicious attachments, or boards with minimal content from unsolicited senders.
Link: MyActiveCampaign Link Abuse
Detects messages from myactivecampaign.com containing links and suspicious language that do not exclusively point to activehosted.com domains.
Link: Non-standard port 8443 in display URL
Detects links containing port 8443 in the display URL, which may indicate suspicious redirect or hosting infrastructure.
Link: Numeric IP obfuscation in URL
Detects inbound messages containing links where the host is a numeric-only IP representation, commonly used to bypass domain-based URL filtering.
Link: Obfuscation via userinfo with excessive URL padding
Identifies instances where a malicious actor leverages an excessively padded username within the userinfo portion of the URL to hide the true destination in preview windows.
Link: Obfuscation via userinfo with suspicious indicators
Detects URLs that use the @ symbol to hide suspicious domains or URL shorteners within the link structure, excluding legitimate email addresses and malformed mailto/telto links.
Link: PDF and financial display text to free file host
Detects messages containing a single link with PDF-named display text containing financial phrases that redirects to a free file hosting service, sent without previous message threads.
Link: PDF display text with fake copyright claim template
Detects messages containing fake copyright claims with table rows with 25px height images and links where the display text references PDF content, potentially indicating malicious PDF delivery attempts through deceptive formatting.
Link: PDF filename impersonation with credential theft language
Detects messages where the link display text mimics a PDF filename containing the sender's domain name, combined with credential theft language or suspicious requests. The message is sent to an invalid recipient address or to the sender themselves, indicating potential abuse of email infrastructure.
Link: Personal SharePoint with invalid recipients and credential theft language
Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body.
Link: Personalized URL with recipient address on commonly abused web service
Detects messages containing links to file hosting or self-service platforms where the recipient's email address is embedded in the URL path, fragment, or base64-encoded components, indicating targeted personalization tactics.
Link: QR code in EML attachment with credential phishing indicators
This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect.
Link: QR code with phishing disposition in img or pdf
This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.
Link: QR Code with suspicious language (untrusted sender)
This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.
Link: QuickBooks image lure with suspicious link
This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.
Link: Recipient domain in URL path
This rule detects URL paths which contain the recipient SLD multiple times. This has been observed in multiple credential phishing campaigns with MFA enrollment themed lures.
Link: Recipient email address in 'eta' parameter
Detects links containing the recipient's email address in the 'eta' query parameter, a technique commonly used to personalize malicious links and track targets.
Link: Referrer anonymization service from untrusted sender
Detects messages containing links that utilize a referrer anonymization service. The rule examines senders who are either not in a trusted domain list or have failed DMARC authentication despite being from a trusted domain.
Link: RFI document reference pattern in display text
Detects links with display text containing RFI (Request for Information) document reference patterns using format RFI-###-###-###, commonly used in construction and procurement fraud schemes.
Link: Romance/Sexual Language With Suspicious Link
Detects messages containing romantic or adult-themed language, combined with links to newly registered domains or suspicious reply-to addresses.
Link: ScreenConnect installer with suspicious relay domain
Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains.
Link: Scribd fullscreen link from suspicious sender
Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.
Link: Secure SharePoint file share from new or unusual sender
This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.