EXPLORE DETECTIONS
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.
Adobe branded PDF file linking to a password-protected file from untrusted sender
Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.
AnonymousFox indicators
Detects email messages that contain (anonymous|smtp)fox in the sender email address, X-Authenticated-Sender or X-Sender fields. This is indicative of messages sourced from an AnonymousFox compromised website.
Anthropic Magic String in HTML
Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content.
Apple state-sponsored attack warning
Detects legitimate Apple threat notifications warning users about potential state-sponsored mercenary attacks targeting their iPhone. These notifications contain specific language about targeted attacks and Apple's confidence level in the warning.
Attachment soliciting user to enable macros
Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.
Attachment with auto-executing macro (unsolicited)
Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened. Macros are a common phishing technique used to deploy malware.
Attachment with auto-opening VBA macro (unsolicited)
Recursively scans files and archives to detect embedded VBA files with an auto open exec.
Attachment with encrypted zip (unsolicited)
Recursively scans files and archives to detect encrypted zip files.
Attachment with free subdomain host URL (unsolicited)
Recursively scans files and archives to detect links to free subdomain hosts. Free subdomain hosts are commonly used to host credential phishing sites.
Attachment with high risk VBA macro (unsolicited)
Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'.
Attachment with macro calling executable
Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe. This may be an attempt to heavily obfuscate an execution through Microsoft document.
Attachment with suspicious author (unsolicited)
Recursively scans files and archives to detect embedded docx files with a specific author.
Attachment with unscannable encrypted zip (unsolicited)
Recursively scans files and archives to detect embedded ZIP files that are encrypted and could not be opened/scanned.
Attachment with URL shortener (unsolicited)
Recursively scans files and archives to detect links to URL shorteners.
Attachment with VBA macros from employee impersonation (unsolicited)
Attachment contains a VBA macro from a sender your organization has never sent an email to. Sender is using a display name that matches the display name of someone in your organization. VBA macros are a common phishing technique used to deploy malware.
Attachment: .csproj with suspicious commands
Attached .csproj file contains suspicious commands.
Attachment: 7z Archive Containing RAR File
Detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats.
Attachment: Adobe image lure in body or attachment with suspicious link
Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.
Attachment: Any .sap file (unsolicited)
SAP shortcut files can be abused to run unsanctioned code on endpoints. Use if receiving .sap files is not normal behavior in your environment.
Attachment: Any EML file
Any EML attachment. This rule can be combined with a webhook action for further analysis of attached EML files, eg via the analysis API.
Attachment: Any HTML file (unsolicited)
Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Attachment: Any HTML file (untrusted sender)
Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.