EXPLORE DETECTIONS
Open redirect: typedrawers.com
Detects messages containing links or QR codes pointing to typedrawers.com/home/leaving with target parameter, sent from non-trusted domains or authenticated sources failing DMARC checks. Considers sender reputation and requires either unsolicited contact or prior malicious activity without false positives.
Open redirect: U.S. Antarctic Program Data Center (USAP-DC)
Message contains use of the U.S. Antarctic Program Data Center (USAP-DC) open redirect.
Open redirect: unitedwaynwvt.org
Message contains use of the unitedwaynwvt.org open redirect. This has been exploited in the wild.
Open redirect: ust.hk
Message contains use of the ust.hk open redirect. This has been exploited in the wild.
Open redirect: vconfex.com
Message contains use of the vconfex.com redirect. This has been exploited in the wild.
Open redirect: VK
Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.
Open redirect: weblinkconnect.com
Message contains use of the weblinkconnect.com open redirect, but the sender is not weblinkconnect.com. This has been exploited in the wild.
Open redirect: whitefox.pl
Message contains use of the whitefox.pl open redirect. This has been exploited in the wild.
Open redirect: Xfinity CMP Redirection to Google AMP
Detects when non-Xfinity senders abuse Xfinity's CMP redirection service to reach Google AMP pages. The rule specifically looks for targetURL parameters containing Google AMP paths in links from untrusted or previously malicious senders.
Open redirect: xfinity.com
Message contains use of the xfinity.com open redirect. This has been exploited in the wild.
Open redirect: YouTube
Looks for use of the YouTube open redirect coming from someone other than YouTube.
Open redirect: YouTube --> Google Redirection Chain
Message contains use of a redirect chain which involves YouTube and Google amp. This has been exploited in the wild.
Outbound message to disposable email provider
Possible exfiltration of sensitive information or files.
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
The exploit involves tricking Outlook for Windows into displaying a fake domain while opening another one. This is achieved by adding a <base> HTML tag with a fake domain and a left-to-right mark (Unicode U+200E). Links within <a> tags will display the fake domain but open the actual domain when clicked on.
PayPal invoice abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
PDF attachment with Google (AE) redirecting to a php or zip file
Detects a PDF attachment with a link that contains a Google.ae redirect URL.
PhaaS: Impact Solutions (Impact Vector Suite)
Identifies the use of the Impact Solutions PhaaS. Impact Vector Suite is a full-spectrum payload delivery platform, engineered for stealth-optimized execution across all major deployment vectors.
PHP Mailer with common phishing attachments
Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns
Potential prompt injection attack in body HTML
Detects messages containing references to major AI tools (like Gemini, Copilot, ChatGPT, or Claude) in non-standard HTML elements.
Privatelayer VPS in Headers
The message was sent using a Privatelayer VPS, a provider known to be used for phishing.
Proofpoint Security Awareness phishing simulation
Identifies phishing simulations sent by Proofpoint and excludes the message from live analysis.
Punycode sender domain
The sender's domain contains punycode, a technique used by attackers to impersonate legitimate domains.
QR code to auto-download of a suspicious file type (unsolicited)
A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types.
QR Code with suspicious indicators
This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.