EXPLORE DETECTIONS
Service abuse: Sendgrid credential theft with personalized request targeting single recipient
Detects messages sent through Sendgrid from new sender domains that contain credential theft language with high confidence. The message targets a single recipient whose email address appears in both the message body and link display text, indicating personalization tactics commonly used in targeted attacks.
Service abuse: SendGrid impersonation via Sendgrid from new sender
Detects messages impersonating SendGrid from new senders, while routing through legitimate SendGrid infrastructure. This pattern is commonly used to abuse trusted email services for malicious purposes.
Service abuse: SendGrid-formatted link with actor-controlled fragment
Detects messages containing SendGrid or SendGrid-like links with base64-encoded zlib-compressed JSON in the URL fragment, indicating potential abuse of legitimate email services for malicious purposes.
Service abuse: SendThisFile with credential theft and financial language
Detects messages from sendthisfile.com containing credential theft language combined with financial communications topics.
Service abuse: Substack credential theft with confusable characters and branded button redirects
Detects messages from Substack that use confusable characters in the sender display name, contain purple buttons or typical button classes that redirect to non-Substack domains, and include credential theft content with urgency indicators.
Service abuse: SurveyMonkey survey from newly registered domain
This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.
Service abuse: Suspicious Zoom Docs link
Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.
Service abuse: Task management message sent via SendGrid
Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.
Service abuse: Trello board invitation with VIP impersonation
Detects fraudulent Trello board invitations that impersonate organization VIPs by using organization domain names in board titles and including notes purportedly from legitimate company executives.
Service abuse: Vimeo with external plain-text links in message
Detects messages absuing Vimeo notifications about received messages that contain plain-text links redirecting to domains other than Vimeo, potentially leading users to malicious websites.
Service abuse: WeTransfer callback scam
Detects callback scams originating from legitimate WeTransfer noreply address using natural language processing to identify high-confidence callback scam intent in the message body.
Service abuse: Wix redirect through bulk mailer domains
Detects messages containing Wix-encoded links that redirect through bulk mailing service domains, potentially bypassing security controls through legitimate redirect services.
Sharepoint file share with suspicious recipients pattern
This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link. This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.
Sharepoint link likely unrelated to sender
Detects when a sender links to a Sharepoint file where the subdomain significantly differs from the sender's domain. The rule checks for OneNote, PDF, or unknown file types and includes various domain validation checks.
Sharepoint online with external recipients and external display name
An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.
SharePoint OTP for filename matching org name
Detects Microsoft One-Time Passcode (OTP) messages where the shared document’s filename matches the sending organization's name. This typically indicates the recipient has verified their email address and is about to access a SharePoint file. Matching the document name to the sender's org is a pattern observed in multi-stage credential phishing campaigns, where attackers use branded file names to increase credibility and lure users into interacting with malicious content.
Shopify infrastructure abuse
Attackers have been observed using myshopify.com links to bypass domain reputation checks.
Spam: Attendee list solicitation
This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.
Spam: BlackBaud infrastructure abuse
Malvertising campaign has been observed abusing a compromised account with BlackBaud. These campaigns have been leveraging brands like Disney+, Netflix, Paramount+, Peacock, UPS, and impersonating the likeness of Elon Musk.
Spam: Campaign with excessive display-text and keywords found
Detects affiliate marketing spam where any link contains display-text greater than 3000 chars and specific values found.
Spam: Campaign with excessive space/char obfuscation and free file hosted link
This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting.
Spam: Commonly observed formatting of unauthorized free giveaways
Detects commonly observed formatting of unauthorized giveaways, free tools, and products by multiple different brands.
Spam: Cryptocurrency airdrop/giveaway
Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards.
Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.