EXPLORE DETECTIONS
Service abuse: AppSheet infrastructure with suspicious indicators
Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.
Service abuse: AWS SNS callback scam impersonation
Detects callback scam messages sent through Amazon Web Services Simple Notification Service (SNS) that impersonate well-known brands like McAfee, Norton, PayPal, and others. The rule identifies fraudulent purchase receipts or service notifications containing phone numbers to solicit victim callbacks, potentially leading to financial theft or malware installation.
Service abuse: Behance document sharing with suspicious language
Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.
Service Abuse: Box file sharing with credential phishing intent
Detects abuse of Box's legitimate infrastructure for credential phishing attacks.
Service abuse: Callback phishing via Microsoft Teams invite
Detects abuse of legitimate Microsoft Teams invites containing callback scam content, including brand references and financial transaction language with phone numbers.
Service abuse: Cisco secure email service with financial request
Detects messages abusing Cisco's secure email service (res.cisco.com) that contain financial topics or invoice requests, with mismatched reply-to domains and undisclosed recipients.
Service abuse: DocSend share from an unsolicited reply-to address
DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Service abuse: DocSend share from newly registered domain
This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.
Service abuse: DocuSign notification with suspicious sender or document name
The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.
Service abuse: DocuSign share from an unsolicited reply-to address
DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Service abuse: Domains By Proxy sender
Message originates from a sender using Domains By Proxy's domain privacy service, commonly used to hide domain ownership information.
Service abuse: Dropbox share from an unsolicited reply-to address
This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.
Service abuse: Dropbox share from new domain
This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.
Service abuse: Dropbox share with suspicious sender or document name
The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.
Service Abuse: ExactTarget with suspicious sender indicators
Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.
Service abuse: Facebook business with action required subject
Detects messages from the Facebook business domain containing 'action required' in the subject line, commonly used to create urgency in impersonation attacks.
Service abuse: File sharing impersonation with external SharePoint links
Detects inbound messages claiming to share files or invite access, containing SharePoint or OneDrive links from external domains. The rule identifies suspicious sharing notifications where link display text matches the sender's name rather than a legitimate document name, indicating potential impersonation of legitimate file sharing services.
Service abuse: FlipHTML5 with attachment deception and credential theft language
Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns.
Service abuse: Formester with suspicious link behavior
Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.
Service abuse: Free provider with SendGrid routing
Message From header includes a free email provider domain but is routed through SendGrid infrastructure, indicating potential service abuse for delivery evasion.
Service abuse: GetAccept callback scam content
Detects callback scam language in messages sent through legitimate GetAccept infrastructure, indicating potential abuse of the service for fraudulent solicitation.
Service abuse: GitHub notification with excessive mentions and suspicious links
Detects messages impersonating GitHub notifications that contain excessive @ mentions (over 20) and include a single suspicious external link. The suspicious link may be from free file hosts, free subdomain hosts, URL shorteners, or newly registered domains. The rule filters out legitimate GitHub domains and internal employee communications while identifying potential abuse of GitHub's notification system.
Service Abuse: GoDaddy infrastructure
Detects messages from legitimate GoDaddy domains with suspicious indicators. Observed abused for call back phishing and extortion campaigns.
Service abuse: Google account notification with links to free file host
Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services