Detection rules › By event
Sublime-Message-body Event ID 7000002
Sublime MQL (555)
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Calendar file with invisible Unicode characters
- Attachment: Calendar invite with Google redirect and invoice request
- Attachment: Callback phishing solicitation via pdf file
- Attachment: Callback phishing solicitation via text-based file
- Attachment: Cold outreach with invitation subject and not attachment
- Attachment: Compensation review lure with QR code
- Attachment: Compensation-themed DOCX with QR code credential theft
- Attachment: Credit card application with WhatsApp contact
- Attachment: EML containing a base64 encoded script
- Attachment: EML with link to credential phishing page
- Attachment: EML with suspicious indicators
- Attachment: Employment contract update with suspicious file naming
- Attachment: Encrypted PDF with credential theft body
- Attachment: Encrypted zip file with payment-related lure
- Attachment: Fake scan-to-email
- Attachment: Fake secure message and suspicious indicators
- Attachment: Fake voicemail via PDF
- Attachment: Fictitious invoice using LinkedIn's address
- Attachment: Legal themed message or PDF with suspicious indicators
- Attachment: PDF bid/proposal lure with credential theft indicators
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
- Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
- Attachment: PDF with password in filename matching body text
- Attachment: PDF with suspicious HeadlessChrome metadata
- Attachment: QR code link with base64-encoded recipient address
- Attachment: QR code with credential phishing indicators
- Attachment: RFP/RFQ impersonating government entities
- Attachment: Self-sender PDF with minimal content and view prompt
- Attachment: USDA bid invitation impersonation
- BEC with unusual reply-to or return-path mismatch
- BEC/Fraud: Generic scam attempt to undisclosed recipients
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Penpal scam
- BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
- BEC/Fraud: Romance scam
- BEC/Fraud: Scam lure with freemail pivot
- BEC/Fraud: Student loan callback phishing
- BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
- BEC: Employee impersonation with subject manipulation
- Benefits enrollment impersonation
- Body: HTML whitespace stuffing with short initial message
- Body: PayApp transaction reference pattern
- Body: Suspicious date format
- Brand impersonation: AARP
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: AliExpress
- Brand impersonation: Amazon
- Brand impersonation: Amazon Web Services (AWS)
- Brand impersonation: Amazon with suspicious attachment
- Brand impersonation: American Express (AMEX)
- Brand impersonation: Aquent
- Brand impersonation: Aramco
- Brand impersonation: AuthentiSign
- Brand impersonation: Automobile assistance associations
- Brand impersonation: Binance
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Box file sharing service
- Brand impersonation: Canada Revenue Agency
- Brand impersonation: Capital One
- Brand impersonation: Chase Bank
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: DHL
- Brand Impersonation: Disney
- Brand impersonation: DocSend
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: DocuSign with embedded QR code
- Brand impersonation: Dropbox
- Brand impersonation: Exodus
- Brand impersonation: Fake Fax
- Brand impersonation: FedEx
- Brand impersonation: File sharing notification with template artifacts
- Brand impersonation: FINRA
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: GitHub with callback scam indicators
- Brand Impersonation: Google (QR Code)
- Brand impersonation: Google Careers
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google Meet with malicious link
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Interac
- Brand impersonation: Internal Revenue Service
- Brand impersonation: LastPass
- Brand impersonation: LinkedIn
- Brand impersonation: Mailchimp
- Brand impersonation: Mailgun
- Brand impersonation: Marriott with gift language
- Brand impersonation: McAfee
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: MetaMask
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft quarantine release notification in body
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Morgan Stanley
- Brand impersonation: Navan
- Brand impersonation: Netflix
- Brand impersonation: OpenAI with payment issues
- Brand Impersonation: PayPal
- Brand Impersonation: Procore
- Brand impersonation: Proofpoint secure messaging without legitimate indicators
- Brand impersonation: Punchbowl
- Brand impersonation: Purdue ePlanroom with suspicious links
- Brand impersonation: Quickbooks
- Brand impersonation: QuickBooks dispute notification
- Brand impersonation: Robert Half
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand Impersonation: Shein
- Brand impersonation: Social Security Administration
- Brand impersonation: Spotify
- Brand impersonation: Square
- Brand impersonation: Survey request with credential theft indicators
- Brand impersonation: TikTok
- Brand impersonation: Toronto-Dominion Bank
- Brand impersonation: Trust Wallet
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: United Healthcare
- Brand impersonation: UPS
- Brand impersonation: USPS
- Brand impersonation: Vanguard
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Wix
- Brand impersonation: Xodo Sign
- Brand impersonation: Zoom
- Brand impersonation: Zoom via lookalike domain
- Brand impersonation: Zoom with deceptive link display
- Business Email Compromise (BEC) attempt from unsolicited sender
- Business Email Compromise (BEC) attempt from untrusted sender
- Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
- Business Email Compromise (BEC) with request for mobile number
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing solicitation in message body
- Callback phishing via Adobe Sign comment
- Callback phishing via Apple ID display name abuse
- Callback phishing via DocuSign comment
- Callback phishing via e-signature service
- Callback phishing via extensionless rfc822 attachment
- Callback phishing via Google Group abuse
- Callback phishing via Google Meet
- Callback phishing via Intuit service abuse
- Callback phishing via Microsoft comment
- Callback Phishing via Signable E-Signature Request
- Callback phishing via SignFree e-signature request
- Callback phishing via Xodo Sign comment
- Callback phishing via Yammer comment
- Callback phishing via Zelle Service Abuse
- Callback phishing via Zoho service abuse
- Callback Phishing via Zoom comment
- Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
- Callback phishing: SumUp infrastructure abuse
- Callback scam: Impersonation via TimeTrade infrastructure
- Canva infrastructure abuse
- Cloud storage impersonation with credential theft indicators
- Commonly abused sender TLD with engaging language
- COVID-19 themed fraud with sender and reply-to mismatch or compensation award
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential Phishing via Dropbox comment abuse
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Engaging language with IPFS link
- Credential phishing: Fake card notification with tracking lure
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Generic document share template
- Credential phishing: Generic document sharing
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Image as content, short or no body contents
- Credential phishing: Onedrive impersonation
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential Phishing: Suspicious language, link, recipients and other indicators
- Credential phishing: Suspicious subject with urgent financial request and link
- Credential phishing: Tax form impersonation with payment request
- Credential Phishing: W-2 lure with inline SVG Windows logo
- Credential theft with 'safe content' deception and social engineering topics
- Cyrillic vowel substitution in subject or display name from unknown sender
- Deceptive Dropbox mention
- DLP - PCI: American Express Credit Card Number
- DLP - PCI: Discover Credit Card Number
- DLP - PCI: Mastercard Credit Card Number
- DLP - PCI: US Credit Card Number (Any Network)
- DLP - PCI: Visa Credit Card Number
- DLP: Argentina DNI Number
- DLP: Australia Bank Account Number
- DLP: Australia Driver's License Number
- DLP: Australia Medical Account Number
- DLP: Australia Passport Number
- DLP: Australia SWIFT Code
- DLP: Australia Tax File Number
- DLP: Austria Identity Card
- DLP: Austria Social Security Number
- DLP: Austria Tax Identification Number
- DLP: AWS Credentials
- DLP: Azure Authentication Token
- DLP: Basic Authentication Header
- DLP: Belgium National Number
- DLP: Brazil CPF Number
- DLP: Brazil RG Number
- DLP: Bulgaria Uniform Civil Number
- DLP: Canada Bank Account Number
- DLP: Canada Credit Card Number
- DLP: Canada Driver's License Number
- DLP: Canada Health Service Number
- DLP: Canada Passport Number
- DLP: Canada Personal Health Identification Number (PHIN)
- DLP: Canada Social Insurance Number (SIN)
- DLP: Chile Identity Card Number
- DLP: China Resident ID Number
- DLP: Colombia Citizenship Card Number
- DLP: Croatia Personal Identification (OIB)
- DLP: Cyprus Identity Card
- DLP: Czech Personal Identity Number
- DLP: Denmark Personal Identification Number
- DLP: Estonia Personal Identification Code
- DLP: Finland National ID
- DLP: France Bank Account Number
- DLP: France Credit Card Number
- DLP: France Debit Card Number
- DLP: France Driver's License Number
- DLP: France National ID Card (CNI)
- DLP: France Passport Number
- DLP: France Social Security Number (INSEE)
- DLP: France Tax Identification Number (SPI)
- DLP: GCP API Key
- DLP: Germany Bank Account Number (IBAN)
- DLP: Germany Driver's License Number
- DLP: Germany Identity Card Number (Personalausweisnummer)
- DLP: Germany Passport Number
- DLP: Germany Tax Identification Number
- DLP: GitHub Token
- DLP: Greece National ID Card
- DLP: Greece Social Security Number (AMKA)
- DLP: Greece Tax Identification Number
- DLP: Hungary Personal Identification Number
- DLP: Hungary Social Security Number (TAJ)
- DLP: Hungary Tax Identification Number
- DLP: IMEI Number
- DLP: IMSI Number
- DLP: India Aadhaar Number
- DLP: India Bank Account Number
- DLP: India PAN Number
- DLP: India Passport Number
- DLP: IP Address
- DLP: Ireland Personal Public Service (PPS) Number
- DLP: Israel Bank Account Number
- DLP: Israel Credit Card Number
- DLP: Israel National ID
- DLP: Israel SWIFT Code
- DLP: Italy Fiscal Code
- DLP: Japan Bank Account Number
- DLP: Japan Credit Card Number
- DLP: Japan Driver's License Number
- DLP: Japan MyNumber ID
- DLP: Japan Passport Number
- DLP: Japan Social Insurance Number
- DLP: JSON Web Token (JWT)
- DLP: Latvia Personal Code
- DLP: Lithuania Personal Code
- DLP: Luxembourg National ID (Natural Persons)
- DLP: Luxembourg National ID (Non-Natural Persons)
- DLP: MAC Address
- DLP: Malta Identity Card Number
- DLP: Malta Tax ID Number
- DLP: Mexico CURP Number
- DLP: Mexico Passport Number
- DLP: Netherlands Citizen's Service (BSN) Number
- DLP: Netherlands Tax Identification Number
- DLP: OAuth Client Secret
- DLP: Poland Identity Card
- DLP: Poland Tax Identification Number
- DLP: Portugal Citizen Card Number
- DLP: Portugal Tax Identification Number
- DLP: Private Key
- DLP: Romania Personal Numerical Code
- DLP: Saudi Arabia IBAN
- DLP: Saudi Arabia National ID
- DLP: Saudi Arabia SWIFT Code
- DLP: Slack Token
- DLP: Slovakia Personal Number
- DLP: Slovenia Tax Identification Number
- DLP: Slovenia Unique Master Citizen Number
- DLP: South Korea Resident Registration Number (RRN)
- DLP: Spain Bank Account Number
- DLP: Spain DNI/NIE
- DLP: Spain Passport Number
- DLP: Spain Social Security Number
- DLP: Spain Tax Identification Number
- DLP: SSL Certificate
- DLP: Sweden National ID
- DLP: Sweden Tax Identification Number
- DLP: Taiwan ID Number
- DLP: Turkey ID Number
- DLP: UK National Health Service Number
- DLP: UK National Insurance Number (NINO)
- DLP: UK Passport Number
- DLP: UK SWIFT Code
- DLP: US Bank Account Number
- DLP: US Driver's License Number
- DLP: US ICD-10-CM Code
- DLP: US ICD-9-CM Code
- DLP: US Individual Taxpayer Identification Number (ITIN)
- DLP: US Insurance Claim Number
- DLP: US Passport Number
- DLP: US Social Security Number (SSN)
- DLP: Vehicle Identification Number (VIN)
- Domain impersonation: Freemail reply-to local lookalike with financial request
- Employee impersonation with urgent request (untrusted sender)
- Employee impersonation: Payroll fraud
- Extortion / sextortion (untrusted sender)
- Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
- Extortion / sextortion in attachment from untrusted sender
- Fake email quarantine notification
- Fake message thread - Untrusted sender with a mismatched freemail reply-to address
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake scan-to-email message
- Fake shipping notification with suspicious language
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake warning banner using confusable characters
- Fake Zoho Sign template abuse
- Fake Zoom meeting invite with suspicious link
- File sharing link with a suspicious subject
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Google Drive abuse: Credential phishing link
- Google presentation open redirect phishing
- Google services using g.co shortlinks
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Headers: System account impersonation with empty sender address
- Headers: X-Source-Auth mismatch with mismatched reply-to domain
- Honorific greeting BEC attempt with sender and reply-to mismatch
- HR impersonation via e-sign agreement comment
- HTML content with print styling and credential theft language
- Image as content with a link to an open redirect
- Impersonation: Australian Federal Police with criminal case language
- Impersonation: Chrome Web Store policy
- Impersonation: Employee using fabricated identity in initial contact
- Impersonation: Fake Gmail attachment
- Impersonation: Fake product discount promotion
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Legal firm with copyright infringement notice
- Impersonation: Recipient organization in sender display name with credential theft image
- Impersonation: Salesforce fake campaign failure notification
- Impersonation: SharePoint reply header anomaly
- Impersonation: Suspected supplier impersonation with suspicious content
- Investor solicitation with organization targeting
- Job scam (unsolicited sender)
- Job scam with specific salary pattern
- Link abuse: Self-service creation platform link with suspicious recipient behavior
- Link: /index.php enclosed in three asterisks
- Link: Adobe share with suspicious indicators
- Link: Apple App Store link to apps impersonating AI adveristing
- Link: Apple App Store malicious ad manager themed apps from free email provider
- Link: BEC with newly registered domains and financial keywords
- Link: Blogspot hosting explicit romance content
- Link: Concatenated display text concealing duplicate URLs with PDF reference
- Link: Credential harvesting with excess padding evasion
- Link: Credential phishing traversing Russian infrastructure
- Link: Credential theft with Cloudflare tunnel and recipient targeting
- Link: Credential theft with invisible Unicode character in page title from unsolicited sender
- Link: Cryptocurrency fraud with suspicious links
- Link: Direct download of executable file
- Link: Direct MSI download from low reputation domain
- Link: Display text matches subject line
- Link: Document sharing invitation template
- Link: Excessive URL rewrite encoders
- Link: Executable file download with suspicious message content
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: File sharing pretext with suspicious body and link
- Link: Financial account issue with suspicious indicators
- Link: Flare-branded credential harvesting via Cloudflare tunnels
- Link: Free file hosting with undisclosed recipients
- Link: Free subdomain host with undisclosed recipients
- Link: Google Drawings link from new sender
- Link: Google Forms link with credential theft language
- Link: Hotel booking spoofed display URL
- Link: HR impersonation with suspicious domain indicators and credential theft
- Link: Intuit link abuse with file share context
- Link: Job recruitment lure from unsolicited sender with suspicious hosting
- Link: Mamba 2FA phishing kit
- Link: Microsoft Dynamics 365 form phishing
- Link: Multiple HTTP protocols in single URL
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - ClickUp abuse
- Link: MyActiveCampaign Link Abuse
- Link: Observed URL pattern with specific domain registrar
- Link: PDF file disguised as HTML page
- Link: PDF filename impersonation with credential theft language
- Link: Personal SharePoint with invalid recipients and credential theft language
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QR Code with suspicious language (untrusted sender)
- Link: QuickBooks image lure with suspicious link
- Link: RFI document reference pattern in display text
- Link: Romance/Sexual Language With Suspicious Link
- Link: Secure SharePoint file share from new or unusual sender
- Link: Self-sender credential theft with configuration placeholder
- Link: Self-sender with sender org in subject and credential theft indicator
- Link: Self-sent message with quarterly document review request
- Link: SharePoint filename matches org name
- Link: SharePoint OneNote or PDF link with self sender behavior
- Link: Shortened URL with fragment matching subject
- Link: Single character path with credential theft body and self sender behavior or invalid recipient
- Link: Suspicious go.php redirect with document lure
- Link: Suspicious Loom HTML file path
- Link: Suspicious SharePoint document name
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: Tycoon2FA phishing kit (non-exhaustive)
- Link: Uncommon SharePoint document type with sender's display name
- Link: URL path containing /moni/index
- Link: URL scheme obfuscation via split HTML anchors
- Link: URL shortener with copy-paste instructions and credential theft language
- Link: WordPress login page with Blogspot Binance scam
- Link: Zoho form link from unsolicited sender
- Malformed URL prefix
- Mass campaign: Cross Site Scripting (XSS) attempt
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Microsoft infrastructure abuse with suspicious patterns
- Mismatched links: Free file share with urgent language
- Open Redirect: Google domain with /url path and suspicious indicators
- QR Code with suspicious indicators
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Email address harvesting attempt
- Reconnaissance: Hotel booking reply-to redirect
- Reconnaissance: Large unknown recipient list
- Reconnaissance: Short generic greeting message
- Recruitee Infrastructure Abuse
- Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Salesforce infrastructure abuse
- Scam soliciting employer review/rating
- Scam: Fake estate sale offering welding equipment and tools
- Scam: Piano giveaway
- Self-sender with copy/paste instructions and suspicious domains (French/Français)
- Self-sent fake PDF attachment with misleading link
- Sender: IP address in local part
- Sendgrid voicemail phish
- Service abuse: Adobe legitimate domain with document approval language
- Service abuse: Apple TestFlight with suspicious developer reference
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service abuse: AWS SNS callback scam impersonation
- Service abuse: Behance document sharing with suspicious language
- Service Abuse: Box file sharing with credential phishing intent
- Service abuse: Calendly callback scam detection
- Service abuse: Callback phishing via Microsoft Teams invite
- Service abuse: Cisco secure email service with financial request
- Service abuse: Dropbox Paper with copy-paste instructions
- Service abuse: Elastic alerts extortion
- Service abuse: Facebook business with action required subject
- Service abuse: File sharing impersonation with external SharePoint links
- Service abuse: FlipHTML5 with attachment deception and credential theft language
- Service abuse: Formester with suspicious link behavior
- Service abuse: Free provider with SendGrid routing
- Service abuse: GetAccept callback scam content
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: GoDaddy infrastructure
- Service abuse: Google Calendar notification with callback scam language
- Service abuse: Google classroom solicitation
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: Google Groups callback scam
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
- Service abuse: IBM IAM account notification with callback scam indicators
- Service abuse: Linode Objects HTML file hosting
- Service abuse: Microsoft Power Apps callback scam
- Service abuse: Microsoft Power Automate callback scam impersonation
- Service abuse: Microsoft Power BI callback scam
- Service abuse: Monday.com callback scam
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: MongoDB Atlas callback scam
- Service Abuse: Nifty.com with impersonation
- Service abuse: Nylas tracking subdomain with suspicious content
- Service abuse: Payoneer callback scam
- Service abuse: PayPal manager account creation with callback scam indicators
- Service abuse: Recruiting with suspicious language patterns from legitimate platforms
- Service abuse: Roomsy with unrelated body content
- Service abuse: Sendgrid credential theft with personalized request targeting single recipient
- Service abuse: SendThisFile with credential theft and financial language
- Service abuse: Substack credential theft with confusable characters and branded button redirects
- Service abuse: Suspicious Datadog alert
- Service abuse: Task management message sent via SendGrid
- Service abuse: Vimeo with external plain-text links in message
- Service abuse: WeTransfer callback scam
- Service Abuse: Zoom with freemail reply-to and recipient address in greeting
- Sharepoint file share with suspicious recipients pattern
- SharePoint OTP for filename matching org name
- Spam/fraud: Predatory journal/research paper request
- Spam: Attendee list solicitation
- Spam: Cryptocurrency airdrop/giveaway
- Spam: Fake dating profile notification
- Spam: Fake photo share
- Spam: Ghostwriting services scam with manipulative language
- Spam: New job cold outreach from unsolicited sender
- Spam: Personalized subject and greetings via Salesforce Marketing Cloud
- Spam: Sendersrv.com with financial communications and unsubscribe language
- Spam: Sexually explicit content with emoji in subject from freemail provider
- Spam: Sexually explicit Google Drive share
- Spam: Sexually explicit Google group invitation
- Spam: Sexually explicit Looker Studio report
- Spam: Single recipient duplicated in cc
- Spam: SMTP & Proxy Communications in Email Body
- Spam: Unsolicited malformed PDF
- Spam: Website errors solicitation
- Spoofable internal domain with suspicious signals
- Suspected lookalike domain with suspicious language
- Suspected WordPress abuse with cross-site scripting (XSS) indicators
- Suspicious display name: Gmail sender with engaging language
- Suspicious invoice reference with missing or image-only attachments
- Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
- Suspicious Links to Cloudflare R2 and Edge Services
- Suspicious newly registered reply-to domain with engaging financial or urgent language
- Suspicious Office 365 app authorization (OAuth) link
- Suspicious recipient pattern and language with low reputation link to login
- Suspicious recipients pattern with NLU credential theft indicators
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious SharePoint file sharing
- Suspicious subject with long procedurally generated text blob
- Tax Form: W-8BEN solicitation
- Unicode QR code
- Vendor impersonation: Thread hijacking with typosquat domain
- Venmo payment request abuse
- VIP / Executive impersonation (strict match, untrusted)
- VIP Impersonation via Google Group relay with suspicious indicators
- VIP impersonation with BEC language (near match, untrusted sender)
- VIP impersonation with charitable donation fraud
- VIP impersonation with invoicing request
- VIP impersonation with urgent request (strict match, untrusted sender)
- VIP impersonation with w2 request with reply-to mismatch
- VIP impersonation: Fake thread with display name match, email mismatch
- X (Twitter) impersonation with credential phishing motives
- Xero infrastructure abuse
- Xero invoice abuse