EXPLORE DETECTIONS
Link: Self-sender credential theft with configuration placeholder
Detects messages where the sender and recipient are the same address, containing credential theft language and links with configuration placeholder text indicating a phishing lure.
Link: Self-sender with sender org in subject and credential theft indicator
Detects messages where the sender and recipient are the same email address, containing organizational names in the subject, credential theft language with high confidence, and suspicious links. These messages often bypass traditional security measures by appearing to come from the recipient themselves.
Link: Self-sent message with quarterly document review request
Detects messages sent from a user to themselves containing a link with quarterly indicators (q1_, q2_, q3_, q4_) and specific document review language requesting urgent feedback.
Link: SharePoint filename matches org name
Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations.
Link: SharePoint files shared from GoDaddy federated tenants
This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.
Link: SharePoint OneNote or PDF link with self sender behavior
Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes.
Link: Shortened URL with fragment matching subject
Detects messages containing shortened links where the URL fragment appears in the email subject line, indicating potential targeted link tracking or social engineering tactics.
Link: Single character path with credential theft body and self sender behavior or invalid recipient
Message where the sender and recipient are the same or the recipient domain is invalid, contains a link with a single character path and no query parameters or fragments, and includes credential theft language.
Link: Spam website with evasion indicators
Detects messages containing links to spam websites that show signs of evasion techniques, including blocklisted IP provider messages or rate limiting responses when analyzed.
Link: Squarespace infrastructure abuse
Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns.
Link: Suspicious Family fragment parameter with encoded recipient data
Detects messages containing links with URL fragments that include 'Family' parameters containing base64 or hex encoded email addresses, which may indicate personalized malicious content targeting specific recipients.
Link: Suspicious go.php redirect with document lure
Detects links containing a PHP redirect endpoint with authentication parameters, commonly used in malicious redirects and unauthorized access attempts.
Link: Suspicious Loom HTML file path
Detects inbound messages containing links to Loom HTML files, which may be used to deliver malicious content or bypass security controls through the legitimate Loom platform.
Link: Suspicious SharePoint document name
The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.
Link: Suspicious Sharepoint folder share
Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender.
Link: Suspicious URL path with binary character sequence
Detects inbound messages containing links with URLs that follow a specific suspicious pattern: starting with a forward slash, followed by a digit, uppercase letter, alphanumeric characters, a hyphen, more alphanumeric characters, and ending with exactly five binary digits (0s and 1s).
Link: Suspicious URL with recipient targeting and special characters
Detects messages containing links with special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.
Link: Tax document lure Portuguese/Spanish with suspicious domains
Detects messages in Portuguese/Spanish containing tax document phrases that link to suspicious domains including URL shorteners, free file hosts, or newly registered domains.
Link: Tycoon2FA phishing kit (non-exhaustive)
Detects links utilizing the Tycoon2FA phishing kit, identified by specific DOM structure patterns and CDN characteristics, combined with suspicious domain indicators such as free subdomain hosts or suspicious TLDs. As the Tycoon2FA kit is evolving, this rule will not detect all variants of Tycoon2FA phishing, and is designed to compliment existing and future detections.
Link: Uncommon SharePoint document type with sender's display name
Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name.
Link: Unsolicited email contains link leading to Tycoon URL structure
Detects unsolicited messages containing links leading to specific tycoon URL patterns that include encoded email addresses or base64-encoded content in the path structure.
Link: Unsolicited email contains link to page containing Tycoon URI structure
Detects links containing Tycoon phishing kit URI patterns with specific alphanumeric sequences separated by exclamation marks or at symbols from unsolicited senders.
Link: URL fragment with hexadecimal pattern obfuscation
Detects links containing URL fragments with repeating hexadecimal patterns, commonly used to obfuscate malicious destinations or bypass security filters.
Link: URL path containing /moni/index
Detects inbound messages containing links to '/moni/index.' paths, either directly in the URL path or within query parameters. This pattern has been observed in the wild leading to credential phishing