EXPLORE DETECTIONS
Spam: Fake dating profile notification
Detects dating-themed messages from free email providers containing links with the recipient's email address embedded in URL parameters, combined with suspicious language or topics in the message body.
Spam: Fake photo share
Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.
Spam: Firebase password reset from suspicious sender
Detects Firebase password reset messages from suspicious or new senders that may be attempting to abuse the Firebase authentication service.
Spam: Ghostwriting services scam with manipulative language
Detects unsolicited messages promoting ghostwriting or book publishing services that use manipulative language patterns commonly seen in scams, such as offering complimentary samples, expressing fascination with the recipient's achievements, or requesting personal information under the guise of writing assistance.
Spam: Item giveaway spam template
This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey.
Spam: Link to blob.core.windows.net from new domain (<30d)
This rule detects messages containing a link to blob.core.windows.net from a sender domain less than 30 days old. There is a single recipient present, but the recipient is a random email address, and not someone at the organization.
Spam: Mastercard promotional content with image-based body
Detects messages promoting untrustworthy Mastercard credit cards that contain both financial communications and promotional content topics, with the message body primarily consisting of image content rather than text. Excludes legitimate payment-related Mastercard communications and applies additional scrutiny to high-trust sender domains that fail DMARC authentication.
Spam: New job cold outreach from unsolicited sender
Detects unsolicited messages congratulating recipients on new jobs or roles that contain unsubscribe links, calendar booking links, or exhibit B2B cold outreach characteristics from senders who have not been previously contacted.
Spam: New link domain (<=10d) and emojis
Detects spam from freemail senders, where the linked domain is less than 10 days old and emojis present.
Spam: Personalized subject and greetings via Salesforce Marketing Cloud
Detects messages sent through Salesforce Marketing Cloud infrastructure that contain a fake previous email thread, where both the current and previous threads start with the same greeting pattern extracted from the subject line.
Spam: Sendersrv.com with financial communications and unsubscribe language
Detects messages from sendersrv.com infrastructure containing unsubscribe language and financial communication topics, indicating potential abuse of the bulk email service for unauthorized financial solicitations.
Spam: Sexually explicit content with emoji in subject from freemail provider
Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line.
Spam: Sexually explicit Google Drive share
Detects suspicious Google Drive Share which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.
Spam: Sexually explicit Google group invitation
Detects suspicious Google Groups invitations containing inappropriate content or suspicious patterns. The rule looks for invites from non-organizational domains that contain random alphanumeric strings, explicit keywords, or suspicious call-to-action phrases in the group names or descriptions.
Spam: Sexually explicit Looker Studio report
Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report.
Spam: Single recipient duplicated in cc
Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.
Spam: SMTP & Proxy Communications in Email Body
An email containing SMTP and Proxy (socks5) command and control information within the body of the message.
Spam: Unsolicited malformed PDF
This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection.
Spam: Unsolicited WordPress account creation or password reset request
Detects messages containing WordPress password reset links where the login parameter does not match the recipient's email address. The rule triggers for unsolicited senders, previously malicious senders, or when DMARC authentication fails.
Spam: URL shortener with short body content and emojis
Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis.
Spam: Website errors solicitation
This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request.
Spam/fraud: Predatory journal/research paper request
Detects messages related to academic research and publishing that contain suspicious patterns including character manipulation, flattering language, time pressure tactics, and domain registration anomalies. Focuses on unsolicited invitations for manuscript submissions, peer reviews, or editorial roles.
SPF temp error
Attackers can spoof domains that have no MX/SPF records, resulting in a DNS timeout. In O365 this fails closed (goes to spam), but in Gmail this fails open (lands in the inbox) and shows a red padlock Reproduce on Ubuntu 18.04: echo "test" | mail -s "Test" user@gmail.com -a"From: Support <support@nomxdomain.com>" Example headers: Received-SPF: temperror (google.com: error in processing during lookup of support@ltbit.com: DNS error) client-ip=<>; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of support@nomxdomain.com: DNS error) smtp.mailfrom=support@nomxdomain.com
Spoofable internal domain with suspicious signals
The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language. False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.