EXPLORE DETECTIONS
Link: URL redirecting to blob URL
Detects messages containing links that redirect to blob URLs, indicating potential malware delivery or credential harvesting.
Link: URL scheme obfuscation via split HTML anchors
Detects URLs intentionally split across multiple adjacent HTML anchor tags to evade URL analysis and detection systems. This sophisticated evasion technique breaks the URL scheme (http/https) across separate anchor elements, rendering as: <a>h</a><a>ttp://malicious.com</a> The technique bypasses many security tools that expect complete, well-formed URLs while displaying a seemingly normal link to end users. This pattern is strongly associated with credential phishing and compromised email accounts. References: - Observed in wild credential phishing campaigns (2024-2025) - Evades traditional URL extraction and analysis tools
Link: URL shortener with copy-paste instructions and credential theft language
Detects messages containing only URL shorteners with copy-paste instructions and high-confidence credential theft language, typically used to evade URL analysis by requiring manual URL entry.
Link: Webflow link from unsolicited sender
This detection rule matches on messaging containing at least one link to webflow.io from an unsolicited sender. Webflow.io provides a free plan enabling users to create custom websites and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing.
Link: WordPress admin targeting with recipient identifier in URL fragment
Detects messages containing links to WordPress administrative paths (wp-admin, wp-content, wp-includes, etc.) where the URL fragment contains base64-encoded data that includes the recipient's email address, indicating potential targeted compromise attempts.
Link: WordPress login page with Blogspot Binance scam
Detects messages containing WordPress login links (/wp-login.php) combined with Blogspot domains and Binance cryptocurrency scam language patterns in the body text.
Link: Zoho form link from unsolicited sender
This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing.
Lookalike sender domain (untrusted sender)
Sender's domain is a lookalike of one of your organization's domains and is untrusted.
Low reputation link to auto-downloaded HTML file with smuggling indicators
Message contains a low reputation link to an automatically downloaded HTML file that contains HTML smuggling indicators, such as atob function use, excessive hexadecimal (0x) usage, etc.
macOS malware: Compiled AppleScript with document double-extension
Detects compiled AppleScript files (.scpt) with document double-extensions (e.g., .docx.scpt, .pdf.scpt) commonly used in DPRK-attributed macOS malware campaigns. These files open in Script Editor when double-clicked and use social engineering (fake compatibility errors) to trick users into executing malicious reconnaissance scripts that fetch subsequent payload stages.
Malformed URL prefix
Malformed URL prefix is a technique used to evade email security scanners.
Malware: Pikabot delivery via URL auto-download
This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.
MalwareBazaar: Malicious attachment hash (trusted reporters)
Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders.
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters.
Mass campaign: Cross Site Scripting (XSS) attempt
Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique.
Mass campaign: recipient address in subject, body, and link (untrusted sender)
This detects a pattern commonly observed in mass phishing campaigns. The local_part or the full email address of the recipient is used in the subject, body, and link query parameter to "personalize" the attack.
Mass Outbound Group With Free File Host Domain
Detects when a sender contacts multiple unique domains and includes links to known free file hosting services.
Message traversed multiple onmicrosoft.com tenants
This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.
Microsoft Defender Attack phishing simulation
Identifies phishing simulations sent by Microsoft Defender Attack simulation training and excludes the message from live analysis.
Microsoft device code phishing
An attacker may generate a user code and send it to a target mailbox. With an appropriate lure, the targeted user may action the device code login and provide an attacker with the means to take over their account. This rule looks for the presence of the Microsoft device login portal link, as well as mentions of 'device code' or a 9 character alphanumeric device code value.
Microsoft infrastructure abuse with suspicious patterns
Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.
Mismatched links: Free file share with urgent language
Detects messages from first-time senders containing free file sharing links, multiple urgent language indicators, and mismatched link text.
Navohost.com hosting link
The message contains a Navohost.com link, which can be used to host malicious content.
New Account Verification Code From Common IdP Vendor
Identifies incoming verification codes from Apple, GitHub, Microsoft, Google, Slack, and Facebook, typically associated with new account creation. We recommend commenting out vendors where your users already have accounts, as this may flag verification codes for existing accounts.