EXPLORE DETECTIONS
VIP impersonation with urgent request (strict match, untrusted sender)
Sender is using a display name that matches the display name of someone in your $org_vips list. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
VIP impersonation with w2 request with reply-to mismatch
This rule detects emails attempting to impersonate a VIP requesting a W-2 with a reply-to mismatch.
VIP impersonation: Fake thread with display name match, email mismatch
This rule is intended to detect fake threads that are impersonating a VIP. It looks for a matching $org_vips display name and checks the email address following it does not match what is in the $org_vips list.
VIP local_part impersonation from unsolicited sender
This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.
X (Twitter) impersonation with credential phishing motives
This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.
Xero infrastructure abuse
Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks.
Xero invoice abuse
Detects suspicious Xero invoice communications containing urgent payment requests where the sender's display name contains either confusable characters or impersonates internal services like HR or IT support.
Zoom Events newsletter abuse
Detects suspicious content in Zoom Events notifications that contain credential theft language and links to file hosting sites.