EXPLORE DETECTIONS

Microsoft Defender Attack phishing simulation

Identifies phishing simulations sent by Microsoft Defender Attack simulation training and excludes the message from live analysis.

Microsoft device code phishing

An attacker may generate a user code and send it to a target mailbox. With an appropriate lure, the targeted user may action the device code login and provide an attacker with the means to take over their account. This rule looks for the presence of the Microsoft device login portal link, as well as mentions of 'device code' or a 9 character alphanumeric device code value.

Microsoft infrastructure abuse with suspicious patterns

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

Mismatched links: Free file share with urgent language

Detects messages from first-time senders containing free file sharing links, multiple urgent language indicators, and mismatched link text.

Navohost.com hosting link

The message contains a Navohost.com link, which can be used to host malicious content.

New Account Verification Code From Common IdP Vendor

Identifies incoming verification codes from Apple, GitHub, Microsoft, Google, Slack, and Facebook, typically associated with new account creation. We recommend commenting out vendors where your users already have accounts, as this may flag verification codes for existing accounts.

New link domain (<=10d) from untrusted sender

Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.

New sender domain (<=10d) from untrusted sender

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

Newly registered sender or reply-to domain with newly registered linked domain

This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.

NINJIO phishing simulation

Identifies phishing simulations sent by NINJIO and excludes the message from live analysis.

Non-RFC compliant calendar files from unsolicited sender

Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.

Notion suspicious file share

Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.

Office 365 fake file share

Open redirect (go2.aspx) leading to Microsoft credential phishing

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

Open redirect: adnxs.com

Message contains use of the adnxs.com redirect with getuid parameter. This has been exploited in phishing campaigns to redirect users to malicious sites.

Open redirect: agena-smile.com

Message contains use of the agena-smile.com redirect with wptouch_switch parameter. This has been exploited in the wild for phishing.

Open redirect: amaterasu-for-website-5.com

Detects messages containing amaterasu-for-website-5.com redirect links that use the url parameter to redirect users to malicious sites. This has been observed in phishing campaigns.

Open redirect: api.spently.com

Message contains use of the api.spently.com redirect. This has been exploited in the wild.

Open redirect: Artisteer

Message contains use of the Artisteer open redirect, but the sender is not Artisteer. This has been exploited in the wild.

Open redirect: artkaderne

Message contains use of an open redirect on artkaderne.dk. This has been exploited in the wild.

Open Redirect: asemailmgmteu.com

Message contains use of the asemailmgmteu.com open redirect. This has been exploited in the wild.

Open redirect: astroarts.co.jp

Message contains use of the astroarts.co.jp redirect. This has been exploited in the wild.

Open redirect: Atdmt

Message contains use of the Atdmt (Facebook) open redirect.

Open redirect: Avast

Detects emails containing links to avast.com leveraging an open redirect