EXPLORE DETECTIONS
Attachment: HTML smuggling with unescape
Recursively scans files and archives to detect HTML smuggling techniques.
Attachment: HTML with emoji-to-character map
Detects inbound messages containing HTML attachments with an unusually high number of emojis in a list, sent from untrusted or suspicious senders who lack an established sending history or have previous malicious behavior.
Attachment: HTML with hidden body
This rule identifies HTML attachments which begin directly with a hidden body element. This has been observed in phishing campaigns to hide the content of an otherwise benign HTML attachment that then has remote content injected into the body.
Attachment: HTML with JavaScript functions for HTTP requests
This rule identifies HTML attachments which contain multiple references to JavaScript functions that support making HTTP requests. This has been observed in phishing campaigns to load remote payloads into otherwise benign HTML attachments.
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
Detects inbound messages containing ICS calendar attachments where event links have multiple URL parameters, and the base64 decoded combination of those parameters matches the recipient's email address. This technique may be used to personalize malicious links or track specific targets.
Attachment: ICS calendar file with QR code containing recipient email address
Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations.
Attachment: ICS calendar file with recipient address in UID field
Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering.
Attachment: ICS calendar file with suspicious product identifier
Detects inbound messages containing ICS calendar attachments that have product identifiers matching patterns commonly associated with malicious calendar invitations. The rule identifies ICS files through multiple detection methods and analyzes the product_id field for suspicious formatting that may indicate automated generation or spoofing attempts.
Attachment: ICS calendar with embedded file from internal sender with SPF failure
Detects calendar invitations (ICS files) from internal domains that fail SPF authentication and contain embedded attachments, with single attendee and organizer both from organizational domains.
Attachment: ICS file with AWS Lambda URL
Detects ICS calendar files that contain references to AWS Lambda URLs, which may be used to deliver malicious content or redirect users to suspicious resources.
Attachment: ICS file with excessive custom properties
ICS calendar attachment contains an unusually high number of custom X- properties, which may indicate attempts to hide malicious content or exploit calendar parsing vulnerabilities.
Attachment: ICS file with links to newly registered domains
Detects calendar invite attachments (ICS files) containing links to domains registered within the last 30 days, which may indicate malicious calendar invitations designed to redirect users to suspicious websites.
Attachment: ICS file with meeting prefix
Detects incoming messages with a single ICS calendar file attachment that has a filename starting with 'meeting_'.
Attachment: ICS file with non-Gregorian calendar scale
Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters.
Attachment: ICS with embedded document
ICS invite contains an embedded document.
Attachment: ICS with embedded Javascript in SVG file
Detects incoming messages containing ICS attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.
Attachment: ICS with employee policy review lure
Detects ICS calendar attachments containing references to 'policy review' and 'secure access' terminology, which may be used in social engineering attacks to prompt users to take action under the guise of compliance or security requirements.
Attachment: Invoice and W-9 PDFs with suspicious creators
Detects messages containing two PDF attachments where one has invoice-related naming patterns and another contains W-9 tax form indicators, with at least one PDF generated by Chrome or wkhtmltopdf tools, commonly used in business email compromise attacks targeting financial processes.
Attachment: JavaScript file with suspicious base64-encoded executable
JavaScript attachment or compressed JavaScript file containing a base64 encoded executable.
Attachment: Legal themed message or PDF with suspicious indicators
Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains.
Attachment: Link file with UNC path
Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
Attachment: Link to Doubleclick.net open redirect
Doubleclick.net link in a document leveraging an open redirect.
Attachment: LNK file
Recursively scans files and archives to detect LNK connection files. LNK files can be weaponised to execute arbitrary commands including unpacking and running executable content embedded within the file itself.