EXPLORE DETECTIONS

New link domain (<=10d) from untrusted sender

Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.

New sender domain (<=10d) from untrusted sender

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

Newly registered sender or reply-to domain with newly registered linked domain

This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.

NINJIO phishing simulation

Identifies phishing simulations sent by NINJIO and excludes the message from live analysis.

Non-RFC compliant calendar files from unsolicited sender

Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.

Notion suspicious file share

Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.

Observed IOC: Malicious domains in body links

Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious reply-to domains

Detects inbound messages with reply-to headers containing known malicious domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious reply-to email addresses

Detects inbound messages with reply-to headers containing known malicious email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious reply-to root domains

Detects inbound messages with reply-to headers containing known malicious root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious root domains in body links

Detects inbound messages containing links to known malicious root domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious sender domains

Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious sender email addresses

Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious sender root domains

Detects inbound messages sent from known malicious sender root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Observed IOC: Malicious URLs in body links

Detects inbound messages containing specific known malicious URLs in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed.

Office 365 fake file share

Open redirect (go2.aspx) leading to Microsoft credential phishing

This rule is designed to detect credential phishing attacks that exploit go2.aspx redirects and masquerade as Microsoft-related emails.

Open redirect: adnxs.com

Message contains use of the adnxs.com redirect with getuid parameter. This has been exploited in phishing campaigns to redirect users to malicious sites.

Open redirect: agena-smile.com

Message contains use of the agena-smile.com redirect with wptouch_switch parameter. This has been exploited in the wild for phishing.

Open redirect: amaterasu-for-website-5.com

Detects messages containing amaterasu-for-website-5.com redirect links that use the url parameter to redirect users to malicious sites. This has been observed in phishing campaigns.

Open redirect: api.spently.com

Message contains use of the api.spently.com redirect. This has been exploited in the wild.

Open redirect: Artisteer

Message contains use of the Artisteer open redirect, but the sender is not Artisteer. This has been exploited in the wild.

Open redirect: artkaderne

Message contains use of an open redirect on artkaderne.dk. This has been exploited in the wild.

Open Redirect: asemailmgmteu.com

Message contains use of the asemailmgmteu.com open redirect. This has been exploited in the wild.