EXPLORE DETECTIONS
Stark Industries VM Servers: Suspicious Sender
A message originating from a VM server within the stark-industries.solutions infrastructure, which may indicate unauthorized use of their systems for malicious purposes.
Stripe invoice abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Stripe's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Subject and sender display name contains matching long alphanumeric string
Detects messages where both the subject line and sender display name contain identical alphanumeric strings that are between 32 and 64 characters, which may indicate automated generation or coordination between these fields for malicious purposes.
Subject: Suspicious bracketed reference
Detects messages with subject lines containing bracketed patterns that follow a specific format with repeated characters, numeric sequences, and structured tracking identifiers commonly used in malicious automated messaging systems.
Suspected cross-site scripting (XSS) found in subject
This rule detects Cross-Site Scripting (XSS) attempts within email subjects. It bypasses messages from highly trusted domains unless they fail authentication. However, the rule remains flexible, triggering even for trusted domains when emails are sent from Google Groups, ensuring thorough protection against potential threats while minimizing false positives.
Suspected lookalike domain with suspicious language
This rule identifies messages where links use typosquatting or lookalike domains similar to the sender domain, with at least one domain being either unregistered or recently registered (≤90 days). The messages must also contain indicators of business email compromise (BEC), credential theft, or abusive language patterns like financial terms or polite phrasing such as kindly. This layered approach targets phishing attempts combining domain deception with manipulative content
Suspected WordPress abuse with cross-site scripting (XSS) indicators
Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators.
Suspicious attachment with unscannable Cloudflare link
A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.
Suspicious attachment: Duplicate decoy PDF files
This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.
Suspicious display name: Gmail sender with engaging language
Detects Gmail senders using display names with suspicious language patterns commonly associated with social engineering tactics, including urgency indicators, contact requests, and verification prompts.
Suspicious DocuSign share from new domain
DocuSign shares with new reply-to addresses have been seen in recent attacks.
Suspicious invoice reference with missing or image-only attachments
This rule flags emails that reference invoices or payments but have suspicious characteristics: attachments are either missing or only images. It also checks for misleading links disguised as attachments and the presence of invoice-related keywords. The rule looks for potential credential theft or unusual requests, making it a strong indicator of phishing attempts.
Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender.
Suspicious Link to TLD with Iranian Manticore Signals
Detects messages containing links to specific top-level domains (.online, .best, .info, .xyz, .fashion, .fit) that also exhibit technical indicators associated with Iranian Educated Manticore activity, including specific API calls and React debug messages.
Suspicious Links to Cloudflare R2 and Edge Services
Detects links to Cloudflare R2 storage buckets, Pages, and Workers domains from unsolicited or previously malicious senders who are not on a trusted sender list or have failed DMARC authentication.
Suspicious mailer received from Gmail servers
Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.
Suspicious message with unscannable Cloudflare link
This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Suspicious message with unscannable Vercel link
This rule detects messages with unscannable links to Vercel infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.
Suspicious newly registered reply-to domain with engaging financial or urgent language
Detects messages from a mismatched newly registered Reply-to domain that contain a financial or urgent request, or a request and an NLU tag with medium to high confidence, from an untrusted sender. This technique is typically observed in Vendor impersonation.
Suspicious Office 365 app authorization (OAuth) link
Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.
Suspicious recipient pattern and language with low reputation link to login
Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects.
Suspicious recipients pattern with NLU credential theft indicators
Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain
Suspicious recipients pattern with no Compauth pass and suspicious content
Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.
Suspicious request for financial information
Email is from a suspicious sender and contains a request for financial information, such as AR reports.