EXPLORE DETECTIONS
Link: Suspicious Sharepoint folder share
Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender.
Link: Suspicious URL with recipient targeting and special characters
Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
Link: Tycoon2FA phishing kit (non-exhaustive)
Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections.
Link: Uncommon SharePoint document type with sender's display name
Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name.
Link: Unsolicited email contains link leading to Tycoon URL structure
Detects unsolicited messages containing links leading to specific tycoon URL patterns that include encoded email addresses or base64-encoded content in the path structure.
Link: Unsolicited email contains link to page containing Tycoon URI structure
Detects links containing Tycoon phishing kit URI patterns with specific alphanumeric sequences separated by exclamation marks or at symbols from unsolicited senders.
Link: URL fragment with hexadecimal pattern obfuscation
Detects links containing URL fragments with repeating hexadecimal patterns, commonly used to obfuscate malicious destinations or bypass security filters.
Link: URL redirecting to blob URL
Detects messages containing links that redirect to blob URLs, indicating potential malware delivery or credential harvesting.
Link: URL scheme obfuscation via split HTML anchors
Detects URLs intentionally split across multiple adjacent HTML anchor tags to evade URL analysis and detection systems. This sophisticated evasion technique breaks the URL scheme (http/https) across separate anchor elements, rendering as: <a>h</a><a>ttp://malicious.com</a> The technique bypasses many security tools that expect complete, well-formed URLs while displaying a seemingly normal link to end users. This pattern is strongly associated with credential phishing and compromised email accounts. References: - Observed in wild credential phishing campaigns (2024-2025) - Evades traditional URL extraction and analysis tools
Link: URL shortener with copy-paste instructions and credential theft language
Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry.
Link: Webflow link from unsolicited sender
This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender. Webflow.io provides a free plan enabling users to create custom websites and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.
Link: WordPress login page with Blogspot Binance scam
Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text.
Link: Zoho form link from unsolicited sender
This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing.
Lookalike sender domain (untrusted sender)
Sender's domain is a lookalike of one of your organization's domains and is untrusted.
Low reputation link to auto-downloaded HTML file with smuggling indicators
Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc.
macOS malware: Compiled AppleScript with document double-extension
Detects compiled AppleScript files (.scpt) with document double-extensions (e.g., .docx.scpt, .pdf.scpt) commonly used in DPRK-attributed macOS malware campaigns. These files open in Script Editor when double-clicked and use social engineering (fake compatibility errors) to trick users into executing malicious reconnaissance scripts that fetch subsequent payload stages.
Malformed URL prefix
Malformed URL prefix is a technique used to evade email security scanners.
Malware: Pikabot delivery via URL auto-download
This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.
MalwareBazaar: Malicious attachment hash (trusted reporters)
Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders.
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from unknown senders.
Mass campaign: Cross Site Scripting (XSS) attempt
Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique.
Mass campaign: recipient address in subject, body, and link (untrusted sender)
This detects a pattern commonly observed in mass phishing campaigns. The local_part or the full email address of the recipient is used in the subject, body, and link query parameter to "personalize" the attack.
Mass Outbound Group With Free File Host Domain
Detects when a sender contacts multiple unique domains and includes links to known free file hosting services.
Message traversed multiple onmicrosoft.com tenants
This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.