EXPLORE DETECTIONS
Service abuse: Google application integration redirecting to suspicious hosts
Detects legitimate Google application integration emails that contain links redirecting to free file hosting services or free subdomain hosts, including Microsoft OAuth redirects to suspicious domains. These could indicate abuse of Google's legitimate service for malicious redirects.
Service abuse: Google Calendar notification with callback scam language
Detects messages sent from Google's legitimate calendar notification service that contain callback scam language, indicating potential abuse of the calendar sharing feature to distribute fraudulent content.
Service abuse: Google classroom solicitation
Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders.
Service abuse: Google Drive share from an unsolicited reply-to address
Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.
Service abuse: Google Drive share from new reply-to domain
A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.
Service abuse: Google Firebase sender address with suspicious content
Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.
Service abuse: Google OAuth with suspicious redirect destination
Detects messages containing Google OAuth links with prompt=none parameter that redirect to suspicious domains including free file hosts, free subdomain providers, or self-service creation platforms.
Service abuse: HelloSign from an unsolicited sender address
Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.
Service Abuse: HelloSign share with suspicious sender or document name
The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
Detects inbound messages from hungerrush.com domain that contain SendGrid tracking pixels and reference redacted ProtonMail addresses, indicating potential abuse of legitimate services for suspicious targeting.
Service abuse: Meetup.com redirect with brand impersonation
Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders.
Service abuse: Microsoft Power Apps callback scam
Detects callback scam messages sent through Microsoft Power Apps that impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, or other services, containing suspicious transaction-related language and phone numbers to solicit victim contact.
Service abuse: Microsoft Power Automate callback scam impersonation
Detects callback scam attempts using the legitimate Microsoft Power Automate service email address with high-confidence callback scam language in the message body.
Service abuse: Microsoft Power BI callback scam
Detects callback scam content sent from the legitimate Microsoft Power BI service email address, indicating potential service abuse to distribute fraudulent callback solicitations.
Service abuse: Mimecast URL with excessive path length
Detects messages containing the second stage Mimecast redirect URL with unusually long paths, potentially indicating abuse of the Mimecast URL redirection service to obfuscate malicious destinations.
Service abuse: Monday.com callback scam
Detects callback scam solicitations originating from Monday.com's notification system using natural language understanding to identify fraudulent callback language in the message body.
Service abuse: Monday.com infrastructure with phishing intent
Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains with valid DMARC.
Service Abuse: Nifty.com with impersonation
Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns
Service abuse: Nylas tracking subdomain with suspicious content
Detects messages containing links to Nylas tracking subdomains with display text and suspicious language patterns, indicating potential abuse of the email tracking service.
Service abuse: Payoneer callback scam
A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Service abuse: QuickBooks notification from new domain
This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.
Service abuse: QuickBooks notification with suspicious comments
This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification
Service abuse: Recruiting with suspicious language patterns from legitimate platforms
Detects suspicious recruiting messages from legitimate services like Salesforce, LADesk, or AWS Apps with unusually long sender email addresses and recruiting-specific language patterns that may indicate abuse of trusted platforms for social engineering.
Service abuse: Roomsy with unrelated body content
Detects messages from Roomsy.com with a structured noreply sender pattern that contain content unrelated to travel, transportation, or order confirmations.