EXPLORE DETECTIONS
Reconnaissance: All recipients cc/bcc'd or undisclosed
Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack. All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.
Reconnaissance: Email address harvesting attempt
Detects potential email harvesting or credential phishing attempts where short messages contain email addresses in the body text. These messages often try to extract contact information or validate email addresses for future attacks.
Reconnaissance: Empty message from uncommon sender
Detects incoming messages that are completely empty, containing no subject line, message body content, or file attachments. Such messages may be used for reconnaissance, delivery confirmation, or as part of multi-stage attacks.
Reconnaissance: Empty subject with mismatched reply-to from new sender
Message with no subject line from a new sender where the reply-to address differs from the sender address, potentially indicating header manipulation or impersonation tactics.
Reconnaissance: Hotel booking reply-to redirect
Detects messages impersonating hotel booking inquiries by identifying common hotel-related language patterns from senders where the reply-to is a free email provider and differs from the sender domain in an effort to validate whether a recipient address is valid or not, potentially preceding an attack.
Reconnaissance: Large unknown recipient list
Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack. There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.
Reconnaissance: Short generic greeting message
Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.
Recruitee Infrastructure Abuse
Identifies inbound messages from Recruitee domains containing recruitment-related topics and application links, where the sender has limited prior history. The URLs in these messages either point to recently registered domains or appear as standalone links with application-focused text.
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment
RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.
Rootlayer VPS in Headers
The message was sent using a Rootlayer VPS, a provider known to be used for phishing.
Russia return-path TLD (untrusted sender)
The return-path header is a .ru TLD from an untrusted sender.
Salesforce infrastructure abuse
Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.
Scam: Piano giveaway
This rule is designed to identify and mitigate a specific type of fraudulent activity commonly targeted at educational institutions. This rule operates by analyzing incoming email content for certain characteristics indicative of a scam involving the offer of a free piano, often framed within the context of downsizing or a giveaway.
Self-sender with copy/paste instructions and suspicious domains (French/Français)
Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values.
Self-sent fake PDF attachment with misleading link
Detects messages sent from a user to themselves containing a fake PDF icon from Google's CDN, claiming to have an attachment while only containing images, and including links that appear to be PDF files.
Sender name contains Active Directory distinguished name
Sender's display name contains an Active Directory distinguished name or a similar string. This has been observed as a malicious indicator in the wild.
Sender: IP address in local part
Detects messages where the sender's email local part contains an IPv4 address, which is commonly used in malicious campaigns to bypass filters or appear legitimate.
Sendgrid onmicrosoft.com domain phishing
The message originates from an onmicrosoft.com email address being sent via Sendgrid.
Sendgrid voicemail phish
The message may contain a fake voicemail notification being sent via Sendgrid.
Service abuse: Adobe Creative Cloud share from an unsolicited sender address
Detects messages from Adobe Creative Cloud in which the document originates from a newly observed email address. The email address is extracted from the HTML body.
Service abuse: Adobe legitimate domain with document approval language
Detects messages from Adobe's legitimate email domain containing suspicious language about document or payment approval that may indicate service abuse.
Service abuse: Adobe Sign notification from an unsolicited reply-to address
Identifies messages appearing to come from Adobe Sign signature notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Adobe services while attempting to establish unauthorized communication channels.
Service abuse: Apple TestFlight with suspicious developer reference
Detects legitimate Apple TestFlight emails that reference potentially suspicious developers or apps, including variations of OpenAI, ChatGPT, or Meta in the app description or developer name fields.