Detection rules › By event
Sublime-Message-type Event ID 7000026
Sublime MQL (1172)
- Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
- Abuse: Robinhood injected content
- Adobe branded PDF file linking to a password-protected file from untrusted sender
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- AnonymousFox indicators
- Anthropic Magic String in HTML
- Attachment soliciting user to enable macros
- Attachment with auto-executing macro (unsolicited)
- Attachment with auto-opening VBA macro (unsolicited)
- Attachment with encrypted zip (unsolicited)
- Attachment with high risk VBA macro (unsolicited)
- Attachment with macro calling executable
- Attachment with suspicious author (unsolicited)
- Attachment with unscannable encrypted zip
- Attachment with VBA macros from employee impersonation (unsolicited)
- Attachment: .csproj with suspicious commands
- Attachment: 7z Archive Containing RAR File
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Adobe Sign lure PDF with embedded banner images
- Attachment: Any .sap file (unsolicited)
- Attachment: Any HTML file (unsolicited)
- Attachment: Any HTML file (untrusted sender)
- Attachment: Any HTML file within archive (unsolicited)
- Attachment: Archive containing disallowed file type
- Attachment: Archive containing HTML file with file scheme link
- Attachment: Archive contains DLL-loading macro
- Attachment: Archive with embedded CHM file
- Attachment: Archive with embedded EXE file
- Attachment: Archive with pdf, txt and wsf files
- Attachment: Base64 encoded bash command in filename
- Attachment: Calendar file with invisible Unicode characters
- Attachment: Calendar invite from recently registered domain
- Attachment: Calendar invite with Google redirect and invoice request
- Attachment: Calendar invite with suspicious link leading to an open redirect
- Attachment: Callback phishing solicitation via image file
- Attachment: Callback phishing solicitation via pdf file
- Attachment: Callback phishing solicitation via text-based file
- Attachment: Canva PDF with susupicious author metadata
- Attachment: cmd file extension
- Attachment: Cold outreach with invitation subject and not attachment
- Attachment: Compensation review lure with QR code
- Attachment: Compensation-themed DOCX with QR code credential theft
- Attachment: Credit card application with WhatsApp contact
- Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
- Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
- Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
- Attachment: Decoy PDF author (Julie P.)
- Attachment: DocuSign impersonation via PDF linking to new domain
- Attachment: DocX embedded binary
- Attachment: DOCX with hyperlink targeting recipient address
- Attachment: Double base64-encoded zip file in HTML smuggling attachment
- Attachment: Dropbox image lure with no Dropbox domains in links
- Attachment: EICAR string present
- Attachment: Embedded Javascript in SVG file
- Attachment: Embedded VBScript in MHT file
- Attachment: EML containing a base64 encoded script
- Attachment: EML file contains HTML attachment with login portal indicators
- Attachment: EML file with HTML attachment (unsolicited)
- Attachment: EML file with IPFS links
- Attachment: EML with embedded Javascript in SVG file
- Attachment: EML with Encrypted ZIP
- Attachment: EML with link to credential phishing page
- Attachment: EML with QR code redirecting to Cloudflare challenges
- Attachment: EML with SharePoint files shared from GoDaddy federated tenants
- Attachment: EML with Sharepoint link likely unrelated to sender
- Attachment: EML with suspicious indicators
- Attachment: Emotet heavily padded doc in zip file
- Attachment: Employment contract update with suspicious file naming
- Attachment: Encrypted Microsoft Office file (unsolicited)
- Attachment: Encrypted PDF With Credential Harvesting Indicators
- Attachment: Encrypted PDF with credential theft body
- Attachment: Encrypted ZIP containing VHDX file
- Attachment: Encrypted zip file with payment-related lure
- Attachment: Excel file with document sharing lure created by Go Excelize
- Attachment: Excel file with suspicious template identifier
- Attachment: Excel Web Query File (IQY)
- Attachment: Fake attachment image lure
- Attachment: Fake lawyer & sports agent identities
- Attachment: Fake PDF Invoices Yara
- Attachment: Fake scan-to-email
- Attachment: Fake secure message and suspicious indicators
- Attachment: Fake Slack installer
- Attachment: Fake voicemail via PDF
- Attachment: Fake Zoom installer
- Attachment: Fictitious invoice using LinkedIn's address
- Attachment: File execution via Javascript
- Attachment: Filename containing Unicode braille pattern blank character
- Attachment: Filename containing Unicode right-to-left override character
- Attachment: Finance themed PDF with observed phishing template
- Attachment: HTML attachment with Javascript location
- Attachment: HTML attachment with login portal indicators
- Attachment: HTML file contains exclusively Javascript
- Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
- Attachment: HTML file with excessive padding and suspicious patterns
- Attachment: HTML file with reference to recipient and suspicious patterns
- Attachment: HTML smuggling 'body onload' linking to suspicious destination
- Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
- Attachment: HTML smuggling - QR Code with suspicious links
- Attachment: HTML smuggling Microsoft sign in
- Attachment: HTML smuggling with atob and high entropy
- Attachment: HTML smuggling with atob and high entropy via calendar invite
- Attachment: HTML smuggling with auto-downloaded file
- Attachment: HTML smuggling with base64 encoded JavaScript function
- Attachment: HTML smuggling with base64 encoded ZIP file
- Attachment: HTML smuggling with concatenation obfuscation
- Attachment: HTML smuggling with decimal encoding
- Attachment: HTML smuggling with embedded base64 streamed file download
- Attachment: HTML smuggling with embedded base64-encoded executable
- Attachment: HTML smuggling with embedded base64-encoded ISO
- Attachment: HTML smuggling with eval and atob
- Attachment: HTML smuggling with eval and atob via calendar invite
- Attachment: HTML smuggling with excessive line break obfuscation
- Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
- Attachment: HTML smuggling with fromCharCode and other signals
- Attachment: HTML smuggling with hex strings
- Attachment: HTML smuggling with high entropy and other signals
- Attachment: HTML smuggling with raw array buffer
- Attachment: HTML smuggling with RC4 decryption
- Attachment: HTML smuggling with ROT13
- Attachment: HTML smuggling with setTimeout
- Attachment: HTML smuggling with unescape
- Attachment: HTML with emoji-to-character map
- Attachment: HTML with hidden body
- Attachment: HTML with JavaScript functions for HTTP requests
- Attachment: HTML with obfuscation and recipient's email in JavaScript strings
- Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
- Attachment: ICS calendar file with QR code containing recipient email address
- Attachment: ICS calendar file with recipient address in UID field
- Attachment: ICS calendar file with suspicious product identifier
- Attachment: ICS calendar with embedded file from internal sender with SPF failure
- Attachment: ICS file with AWS Lambda URL
- Attachment: ICS file with excessive custom properties
- Attachment: ICS file with links to newly registered domains
- Attachment: ICS file with meeting prefix
- Attachment: ICS file with non-Gregorian calendar scale
- Attachment: ICS with embedded document
- Attachment: ICS with embedded Javascript in SVG file
- Attachment: ICS with employee policy review lure
- Attachment: Invoice and W-9 PDFs with suspicious creators
- Attachment: JavaScript file with suspicious base64-encoded executable
- Attachment: JPEG with gd-jpeg creator and suspicious file name
- Attachment: Legal themed message or PDF with suspicious indicators
- Attachment: Link file with UNC path
- Attachment: Link to Doubleclick.net open redirect
- Attachment: LNK file
- Attachment: LNK with embedded content
- Attachment: Macro files containing MHT content
- Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
- Attachment: Malformed OLE file
- Attachment: Malicious OneNote commands
- Attachment: Microsoft 365 credential phishing
- Attachment: Microsoft impersonation via PDF with link and suspicious language
- Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
- Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
- Attachment: MS OOXML file created by Administrator with zero edit time
- Attachment: MSI installer file
- Attachment: Office document loads remote document template
- Attachment: Office document with VSTO add-in
- Attachment: Office file contains OLE relationship to credential phishing page
- Attachment: Office file with credential phishing URLs
- Attachment: Office file with document sharing and browser instruction lures
- Attachment: Office file with suspicious function calls or downloaded file path
- Attachment: OLE external relationship containing file scheme link to executable filetype
- Attachment: OLE external relationship containing file scheme link to IP address
- Attachment: Password-protected PDF with fake document indicators
- Attachment: PDF Attachment with links to workers.dev
- Attachment: PDF bid/proposal lure with credential theft indicators
- Attachment: PDF contains W9 or invoice YARA signatures
- Attachment: PDF file with link to fake Bitcoin exchange
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
- Attachment: PDF generated with wkhtmltopdf tool and default title
- Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
- Attachment: PDF Object Hash with Blue File Icon
- Attachment: PDF proposal with credential theft indicators
- Attachment: PDF with a suspicious string and single URL
- Attachment: PDF with blurry lure image
- Attachment: PDF with credential theft language and invalid reply-to domain
- Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
- Attachment: PDF with CVE-2026-34621 lures
- Attachment: PDF with eCheckRun lures
- Attachment: PDF with fake invoice using suspicious font sizing
- Attachment: PDF with JSFck obfuscation
- Attachment: PDF with link to DMG file download
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with Microsoft Purview message impersonation
- Attachment: PDF with multistage landing - ClickUp abuse
- Attachment: PDF with password in filename matching body text
- Attachment: PDF with personal Microsoft OneNote URL
- Attachment: PDF with QR code containing recipient-specific credential theft content
- Attachment: PDF with recipient email in link
- Attachment: PDF with ReportLab library and default metadata
- Attachment: PDF With SAI Global ISO9001 Logo
- Attachment: PDF with self-service platform links with self sender or blank recipients
- Attachment: PDF with specific author metadata
- Attachment: PDF with split QR code
- Attachment: PDF with suspicious HeadlessChrome metadata
- Attachment: PDF with suspicious language and redirect to suspicious file type
- Attachment: PDF with suspicious link and action-oriented language
- Attachment: PDF with suspicious view document characteristics
- Attachment: Potential sandbox evasion in Office file
- Attachment: PowerPoint with suspicious hyperlink
- Attachment: PowerShell content
- Attachment: QR code link with base64-encoded recipient address
- Attachment: QR code with credential phishing indicators
- Attachment: QR code with encoded recipient targeting and redirect indicators
- Attachment: QR code with recipient targeting and special characters
- Attachment: QR code with suspicious URL patterns in EML file
- Attachment: QR code with userinfo portion
- Attachment: RDP connection file
- Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
- Attachment: RFP/RFQ impersonating government entities
- Attachment: RTF file with suspicious link
- Attachment: RTF with embedded content
- Attachment: Self-sender PDF with minimal content and view prompt
- Attachment: SFX archive containing commands
- Attachment: Small text file with link containing recipient email address
- Attachment: Soda PDF producer with encryption themes
- Attachment: Suspicious employee policy update document lure
- Attachment: Suspicious PDF created with headless browser
- Attachment: SVG file execution
- Attachment: SVG file with HTML entity encoded href attributes
- Attachment: SVG file with hyperlinks and cursor styling
- Attachment: SVG files with evasion elements
- Attachment: TAR file with RAR type
- Attachment: Uncommon compressed file
- Attachment: USDA bid invitation impersonation
- Attachment: Web files with suspicious comments
- Attachment: WinRAR CVE-2025-8088 exploitation
- Attachment: XLSX file with suspicious print titles metadata
- Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
- BEC with unusual reply-to or return-path mismatch
- BEC/Fraud: Fake investment outreach from suspicious TLD
- BEC/Fraud: Generic scam attempt to undisclosed recipients
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Penpal scam
- BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
- BEC/Fraud: Romance scam
- BEC/Fraud: Scam lure with freemail pivot
- BEC/Fraud: Student loan callback phishing
- BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
- BEC: Employee impersonation with subject manipulation
- Benefits enrollment impersonation
- Body HTML: Comment with 24-character hex token
- Body HTML: Recipient SLD in HTML class
- Body: Embedded email headers indicative of thread hijacking/abuse
- Body: HTML whitespace stuffing with short initial message
- Body: PayApp transaction reference pattern
- Body: Suspicious date format
- Body: Yellow highlighted text markers
- Brand impersonation: AARP
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe Acrobat Sign PDF phishing file format template
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: ADP
- Brand impersonation: AliExpress
- Brand impersonation: Amazon
- Brand impersonation: Amazon Web Services (AWS)
- Brand impersonation: Amazon with suspicious attachment
- Brand impersonation: American Express (AMEX)
- Brand impersonation: Apple
- Brand impersonation: Aquent
- Brand impersonation: Aramco
- Brand impersonation: AuthentiSign
- Brand impersonation: Automobile assistance associations
- Brand impersonation: Bank of America
- Brand impersonation: Barracuda Networks
- Brand impersonation: Binance
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Box file sharing service
- Brand impersonation: Canada Revenue Agency
- Brand impersonation: Capital One
- Brand impersonation: Charles Schwab
- Brand impersonation: Chase Bank
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: Coinbase
- Brand impersonation: Coinbase with suspicious links
- Brand impersonation: Dashlane
- Brand impersonation: DHL
- Brand impersonation: DigitalOcean
- Brand impersonation: Discord notification
- Brand Impersonation: Disney
- Brand impersonation: DocSend
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign (QR code)
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: DocuSign PDF attachment with suspicious link
- Brand impersonation: DocuSign with embedded QR code
- Brand impersonation: DoorDash
- Brand impersonation: Dotloop
- Brand impersonation: Dropbox
- Brand impersonation: Enbridge
- Brand impersonation: Evite
- Brand impersonation: Exodus
- Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
- Brand impersonation: Fake Fax
- Brand impersonation: Fastway
- Brand impersonation: FedEx
- Brand impersonation: Figma with malicious document access overlay
- Brand impersonation: File sharing notification with template artifacts
- Brand impersonation: FINRA
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Github
- Brand impersonation: GitHub with callback scam indicators
- Brand impersonation: GoDaddy
- Brand Impersonation: Google (QR Code)
- Brand impersonation: Google Careers
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google fake sign-in warning
- Brand impersonation: Google Meet with malicious link
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Gusto
- Brand impersonation: Hulu
- Brand impersonation: Interac
- Brand impersonation: Internal Revenue Service
- Brand impersonation: KnowBe4
- Brand impersonation: LastPass
- Brand impersonation: Ledger
- Brand impersonation: LinkedIn
- Brand impersonation: Mailchimp
- Brand impersonation: Mailgun
- Brand impersonation: Marriott with gift language
- Brand impersonation: McAfee
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: MetaMask
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
- Brand impersonation: Microsoft logo or suspicious language with open redirect
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft quarantine release notification in body
- Brand impersonation: Microsoft quarantine release notification in image attachment
- Brand impersonation: Microsoft Teams
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Morgan Stanley
- Brand impersonation: Navan
- Brand impersonation: Netflix
- Brand impersonation: Norton
- Brand impersonation: Office 365 mail service
- Brand impersonation: Okta
- Brand impersonation: OpenAI with payment issues
- Brand impersonation: Outlook
- Brand impersonation: Paperless Post
- Brand Impersonation: PayPal
- Brand impersonation: PNC
- Brand Impersonation: Procore
- Brand impersonation: Proofpoint secure messaging without legitimate indicators
- Brand impersonation: Punchbowl
- Brand impersonation: Purdue ePlanroom with suspicious links
- Brand impersonation: Quickbooks
- Brand impersonation: QuickBooks dispute notification
- Brand impersonation: QuickBooks notification from Intuit themed company name
- Brand impersonation: Ripple
- Brand impersonation: Robert Half
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand Impersonation: Shein
- Brand impersonation: Silicon Valley Bank
- Brand impersonation: SiriusXM
- Brand impersonation: Social Security Administration
- Brand impersonation: Spotify
- Brand impersonation: Square
- Brand impersonation: Squarespace
- Brand impersonation: State Farm
- Brand impersonation: Stellar Development Foundation (SDF)
- Brand Impersonation: Stripe
- Brand impersonation: Stripe notification
- Brand impersonation: Sublime Security
- Brand impersonation: Survey request with credential theft indicators
- Brand impersonation: TikTok
- Brand impersonation: Toronto-Dominion Bank
- Brand impersonation: Trust Wallet
- Brand impersonation: TurboTax
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: ukr[.]net
- Brand impersonation: United Healthcare
- Brand impersonation: UPS
- Brand impersonation: USPS
- Brand impersonation: Vanguard
- Brand impersonation: Vanta
- Brand impersonation: Venmo
- Brand impersonation: Wells Fargo
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Wix
- Brand impersonation: Xodo Sign
- Brand impersonation: Zoom
- Brand impersonation: Zoom (strict)
- Brand impersonation: Zoom via HTML styling
- Brand impersonation: Zoom via lookalike domain
- Brand impersonation: Zoom with deceptive link display
- Brand spoof: Dropbox
- Business Email Compromise (BEC) attempt from unsolicited sender
- Business Email Compromise (BEC) attempt from untrusted sender
- Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
- Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
- Business Email Compromise (BEC) with request for mobile number
- Business Email Compromise: Request for mobile number via reply thread hijacking
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing solicitation in message body
- Callback phishing via Adobe Sign comment
- Callback phishing via Apple ID display name abuse
- Callback phishing via calendar invite
- Callback phishing via DocuSign comment
- Callback phishing via e-signature service
- Callback phishing via extensionless rfc822 attachment
- Callback phishing via Google Group abuse
- Callback phishing via Google Meet
- Callback phishing via Intuit service abuse
- Callback phishing via Microsoft comment
- Callback Phishing via Signable E-Signature Request
- Callback phishing via SignFree e-signature request
- Callback phishing via Xodo Sign comment
- Callback phishing via Yammer comment
- Callback phishing via Zelle Service Abuse
- Callback phishing via Zoho service abuse
- Callback Phishing via Zoom comment
- Callback phishing: AOL senders with suspicious HTML template or PDF attachment
- Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
- Callback phishing: Social Security Administration fraud
- Callback phishing: SumUp infrastructure abuse
- Callback scam: Impersonation via TimeTrade infrastructure
- Canva design with suspicious embedded link
- Canva infrastructure abuse
- Catbox.moe link from untrusted source
- ClickFunnels link infrastructure abuse
- Cloud storage impersonation with credential theft indicators
- Commonly abused sender TLD with engaging language
- Compensation review with QR code in attached EML
- Constant Contact link infrastructure abuse
- COVID-19 themed fraud with sender and reply-to mismatch or compensation award
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing link (unknown sender)
- Credential Phishing via Dropbox comment abuse
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: AWS Lambda URL with recipient targeting
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Engaging language with IPFS link
- Credential phishing: Fake card notification with tracking lure
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Generic document share template
- Credential phishing: Generic document sharing
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Image as content, short or no body contents
- Credential phishing: Onedrive impersonation
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential Phishing: Suspicious language, link, recipients and other indicators
- Credential phishing: Suspicious subject with urgent financial request and link
- Credential phishing: Tax form impersonation with payment request
- Credential Phishing: W-2 lure with inline SVG Windows logo
- Credential theft with 'safe content' deception and social engineering topics
- Credential theft: Gophish abuse with hidden tracking image
- CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
- Cyrillic vowel substitution in subject or display name from unknown sender
- Cyrillic vowel substitutions with suspicious subject from unknown sender
- Deceptive Dropbox mention
- Display name and subject impersonation using recipient SLD (new sender)
- Display Name Emoji with Financial Symbols
- Display name impersonation using recipient SLD
- Disposable sender email (unsolicited)
- DLP - PCI: American Express Credit Card Number
- DLP - PCI: Discover Credit Card Number
- DLP - PCI: Mastercard Credit Card Number
- DLP - PCI: US Credit Card Number (Any Network)
- DLP - PCI: Visa Credit Card Number
- DLP: Argentina DNI Number
- DLP: Australia Bank Account Number
- DLP: Australia Credit Card Number
- DLP: Australia Driver's License Number
- DLP: Australia Medical Account Number
- DLP: Australia Passport Number
- DLP: Australia SWIFT Code
- DLP: Australia Tax File Number
- DLP: Austria Identity Card
- DLP: Austria Social Security Number
- DLP: Austria Tax Identification Number
- DLP: AWS Credentials
- DLP: Azure Authentication Token
- DLP: Basic Authentication Header
- DLP: Belgium National Number
- DLP: Brazil CPF Number
- DLP: Brazil RG Number
- DLP: Bulgaria Uniform Civil Number
- DLP: Canada Bank Account Number
- DLP: Canada Credit Card Number
- DLP: Canada Driver's License Number
- DLP: Canada Health Service Number
- DLP: Canada Passport Number
- DLP: Canada Personal Health Identification Number (PHIN)
- DLP: Canada Social Insurance Number (SIN)
- DLP: Chile Identity Card Number
- DLP: China Resident ID Number
- DLP: Colombia Citizenship Card Number
- DLP: Croatia Personal Identification (OIB)
- DLP: Cyprus Identity Card
- DLP: Czech Personal Identity Number
- DLP: Denmark Personal Identification Number
- DLP: Estonia Personal Identification Code
- DLP: EU Debit Card Number
- DLP: Finland National ID
- DLP: France Bank Account Number
- DLP: France Credit Card Number
- DLP: France Debit Card Number
- DLP: France Driver's License Number
- DLP: France National ID Card (CNI)
- DLP: France Passport Number
- DLP: France Social Security Number (INSEE)
- DLP: France Tax Identification Number (SPI)
- DLP: GCP API Key
- DLP: Germany Bank Account Number (IBAN)
- DLP: Germany Driver's License Number
- DLP: Germany Identity Card Number (Personalausweisnummer)
- DLP: Germany Passport Number
- DLP: Germany Tax Identification Number
- DLP: GitHub Token
- DLP: Greece National ID Card
- DLP: Greece Social Security Number (AMKA)
- DLP: Greece Tax Identification Number
- DLP: Hungary Personal Identification Number
- DLP: Hungary Social Security Number (TAJ)
- DLP: Hungary Tax Identification Number
- DLP: IMEI Number
- DLP: IMSI Number
- DLP: India Aadhaar Number
- DLP: India Bank Account Number
- DLP: India PAN Number
- DLP: India Passport Number
- DLP: IP Address
- DLP: Ireland Personal Public Service (PPS) Number
- DLP: Israel Bank Account Number
- DLP: Israel Credit Card Number
- DLP: Israel National ID
- DLP: Israel SWIFT Code
- DLP: Italy Fiscal Code
- DLP: Japan Bank Account Number
- DLP: Japan Credit Card Number
- DLP: Japan Driver's License Number
- DLP: Japan MyNumber ID
- DLP: Japan Passport Number
- DLP: Japan Social Insurance Number
- DLP: JSON Web Token (JWT)
- DLP: Latvia Personal Code
- DLP: Lithuania Personal Code
- DLP: Luxembourg National ID (Natural Persons)
- DLP: Luxembourg National ID (Non-Natural Persons)
- DLP: MAC Address
- DLP: Malta Identity Card Number
- DLP: Malta Tax ID Number
- DLP: Mexico CURP Number
- DLP: Mexico Passport Number
- DLP: Netherlands Citizen's Service (BSN) Number
- DLP: Netherlands Tax Identification Number
- DLP: OAuth Client Secret
- DLP: Poland Identity Card
- DLP: Poland Tax Identification Number
- DLP: Portugal Citizen Card Number
- DLP: Portugal Tax Identification Number
- DLP: Private Key
- DLP: Romania Personal Numerical Code
- DLP: Saudi Arabia IBAN
- DLP: Saudi Arabia National ID
- DLP: Saudi Arabia SWIFT Code
- DLP: Slack Token
- DLP: Slovakia Personal Number
- DLP: Slovenia Tax Identification Number
- DLP: Slovenia Unique Master Citizen Number
- DLP: South Korea Resident Registration Number (RRN)
- DLP: Spain Bank Account Number
- DLP: Spain DNI/NIE
- DLP: Spain Passport Number
- DLP: Spain Social Security Number
- DLP: Spain Tax Identification Number
- DLP: SSL Certificate
- DLP: Sweden National ID
- DLP: Sweden Tax Identification Number
- DLP: Taiwan ID Number
- DLP: Turkey ID Number
- DLP: UK National Health Service Number
- DLP: UK National Insurance Number (NINO)
- DLP: UK Passport Number
- DLP: UK SWIFT Code
- DLP: US Bank Account Number
- DLP: US Driver's License Number
- DLP: US ICD-10-CM Code
- DLP: US ICD-9-CM Code
- DLP: US Individual Taxpayer Identification Number (ITIN)
- DLP: US Insurance Claim Number
- DLP: US Passport Number
- DLP: US Social Security Number (SSN)
- DLP: Vehicle Identification Number (VIN)
- DocuSign impersonation via CloudHQ links
- DocuSign impersonation via spoofed Intuit sender
- Domain impersonation: Freemail reply-to local lookalike with financial request
- EML attachment with credential theft language (unknown sender)
- Employee impersonation with urgent request (untrusted sender)
- Employee impersonation: Payroll fraud
- Encrypted Microsoft Office files from untrusted sender
- Extortion / sextortion (untrusted sender)
- Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
- Extortion / sextortion in attachment from untrusted sender
- Fake email quarantine notification
- Fake message thread - Untrusted sender with a mismatched freemail reply-to address
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake scan-to-email message
- Fake shipping notification with link to free file hosting
- Fake shipping notification with suspicious language
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake warning banner using confusable characters
- Fake Zoho Sign template abuse
- Fake Zoom meeting invite with suspicious link
- File sharing link from suspicious sender domain
- File sharing link with a suspicious subject
- Fraudulent e-commerce operators
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Free email provider sender with mismatched provider reply-to
- Free subdomain link with credential theft indicators
- Free subdomain link with login or captcha (untrusted sender)
- Generic service abuse from newly registered domain
- Google Accelerated Mobile Pages (AMP) abuse
- Google Drive abuse: Credential phishing link
- Google Drive direct download link from unsolicited sender
- Google Notification alert link from non-Google sender
- Google presentation open redirect phishing
- Google services using g.co shortlinks
- Google share notification with suspicious comments
- Hardbacon infrastructure abuse
- Headers: Fake in-reply-to with wildcard sender and missing thread context
- Headers: Invalid recipient domain with mismatched reply-to from new sender
- Headers: iOS/iPadOS mailer with invalid build number
- Headers: Outlook Express mailer
- Headers: risky-recover-production message ID
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Headers: System account impersonation with empty sender address
- Headers: X-Source-Auth mismatch with mismatched reply-to domain
- Headers: Zimbra mailer from a non-supported OS version
- Honorific greeting BEC attempt with sender and reply-to mismatch
- HR impersonation via e-sign agreement comment
- HTML content with print styling and credential theft language
- HTML smuggling containing recipient email address
- HTML smuggling with atob in message body
- HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
- Image as content with a link to an open redirect
- Impersonation using recipient domain (untrusted sender)
- Impersonation: Australian Federal Police with criminal case language
- Impersonation: Chrome Web Store policy
- Impersonation: Employee using fabricated identity in initial contact
- Impersonation: Executive using numbered local part
- Impersonation: Fake Gmail attachment
- Impersonation: Fake product discount promotion
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Legal firm with copyright infringement notice
- Impersonation: Recipient organization in sender display name with credential theft image
- Impersonation: Salesforce fake campaign failure notification
- Impersonation: SharePoint reply header anomaly
- Impersonation: Suspected supplier impersonation with suspicious content
- Inbound message from popular service via newly observed distribution list
- Inline image as message with attachment or link
- Investor solicitation with organization targeting
- Invoicera infrastructure abuse
- Issuu document with suspicious embedded link
- Job scam (unsolicited sender)
- Job scam with specific salary pattern
- Link abuse: Self-service creation platform link with suspicious recipient behavior
- Link to a domain with punycode characters
- Link to auto-download of a suspicious file type (unsolicited)
- Link to auto-downloaded disk image in encrypted zip
- Link to auto-downloaded DMG in archive
- Link to auto-downloaded DMG in encrypted zip
- Link to auto-downloaded file with Adobe branding
- Link to auto-downloaded file with Google Drive branding
- Link to Google Apps Script macro (unsolicited)
- Link to Google Apps Script macro via comment tagging
- Link: .onion From Unsolicited Sender
- Link: /index.php enclosed in three asterisks
- Link: 9WOLF phishkit initial landing URI
- Link: Abused Adobe Express
- Link: Adobe share from unsolicited sender
- Link: Adobe share with suspicious indicators
- Link: Apple App Store link to apps impersonating AI adveristing
- Link: Apple App Store malicious ad manager themed apps from free email provider
- Link: Apple TestFlight from suspicious sender
- Link: Base64 encoded recipient address in URL fragment with hex subdomain
- Link: Base64 encoded recipient address in URL fragment with subject hash
- Link: BEC with newly registered domains and financial keywords
- Link: Blogspot hosting explicit romance content
- Link: Breely link masquerading as PDF
- Link: chatbot.page platform abuse
- Link: Common hidden directory observed
- Link: Commonly Abused Web Service redirecting to ZIP file
- Link: Concatenated display text concealing duplicate URLs with PDF reference
- Link: Credential harvesting with excess padding evasion
- Link: Credential phishing link with undisclosed recipients
- Link: Credential phishing traversing Russian infrastructure
- Link: Credential phishing via WordPress
- Link: Credential theft with Cloudflare tunnel and recipient targeting
- Link: Credential theft with invisible Unicode character in page title from unsolicited sender
- Link: Cryptocurrency fraud with suspicious links
- Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
- Link: Direct download of executable file
- Link: Direct link to gamma.app document with mode parameter
- Link: Direct link to keap.app contact-us page
- Link: Direct link to limewire hosted file
- Link: Direct link to riddle.com hosted showcase
- Link: Direct link to Zoom Docs from non-Zoom sender
- Link: Direct MSI download from low reputation domain
- Link: Direct POWR.io Form Builder with suspicious patterns
- Link: Display text matches subject line
- Link: Display text with excessive right-to-left mark characters
- Link: Document sharing invitation template
- Link: Excessive URL rewrite encoders
- Link: Executable file download with suspicious message content
- Link: Figma design deck with credential theft language
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: File sharing pretext with suspicious body and link
- Link: Financial account issue with suspicious indicators
- Link: Flagged bit.ly link
- Link: Flare-branded credential harvesting via Cloudflare tunnels
- Link: Free file hosting with undisclosed recipients
- Link: Free subdomain host with undisclosed recipients
- Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
- Link: Google Cloud Storage impersonating with googledrive in URL path
- Link: Google Cloud Storage with suspicious URL pattern
- Link: Google Drawings link from new sender
- Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
- Link: Google Forms link with credential theft language
- Link: Google Translate (unsolicited)
- Link: GoPhish query param values
- Link: Hotel booking spoofed display URL
- Link: HR impersonation with suspicious domain indicators and credential theft
- Link: HTML file with suspicious binary fragment ending pattern
- Link: Intuit link abuse with file share context
- Link: Invoice or receipt from freemail sender with customer service number
- Link: IPFS
- Link: IPv4-mapped IPv6 address obfuscation
- Link: JavaScript obfuscation with Telegram bot integration
- Link: Jensi file preview link from unsolicited sender
- Link: Job recruitment lure from unsolicited sender with suspicious hosting
- Link: Landing page with search-ms protocol redirect
- Link: Mamba 2FA phishing kit
- Link: Microsoft device code authentication with suspicious indicators
- Link: Microsoft Dynamics 365 form phishing
- Link: Microsoft impersonation using hosted png with suspicious link
- Link: Microsoft protected message with matching sender and recipient addresses
- Link: Mixed case HTTPS protocol
- Link: Multiple HTTP protocols in single URL
- Link: Multistage landing - Abused Adobe Acrobat hosted PDF
- Link: Multistage landing - Abused Adobe frame.io
- Link: Multistage Landing - Abused Buildin.ai
- Link: Multistage landing - Abused Docusign
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - ClickUp abuse
- Link: Multistage landing - FreshDesk knowledge base abuse
- Link: Multistage landing - JotForm abuse
- Link: Multistage landing - Ludus presentation
- Link: Multistage landing - Microsoft Forms abuse
- Link: Multistage landing - Published Google Doc
- Link: Multistage landing - Scribd document
- Link: Multistage landing - Trello board abuse
- Link: MyActiveCampaign Link Abuse
- Link: Non-standard port 8443 in display URL
- Link: Numeric IP obfuscation in URL
- Link: Obfuscation via userinfo with excessive URL padding
- Link: Obfuscation via userinfo with suspicious indicators
- Link: Observed URL pattern with specific domain registrar
- Link: PDF and financial display text to free file host
- Link: PDF display text with fake copyright claim template
- Link: PDF file disguised as HTML page
- Link: PDF filename impersonation with credential theft language
- Link: Personal SharePoint with invalid recipients and credential theft language
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QR code in EML attachment with credential phishing indicators
- Link: QR code with phishing disposition in img or pdf
- Link: QR Code with suspicious language (untrusted sender)
- Link: QuickBooks image lure with suspicious link
- Link: Recipient domain in URL path
- Link: Recipient email address in 'eta' parameter
- Link: Referrer anonymization service from untrusted sender
- Link: Remittance payment request with timeline template
- Link: RFI document reference pattern in display text
- Link: Romance/Sexual Language With Suspicious Link
- Link: ScreenConnect installer with suspicious relay domain
- Link: Scribd fullscreen link from suspicious sender
- Link: Secure SharePoint file share from new or unusual sender
- Link: Self-sender credential theft with configuration placeholder
- Link: Self-sender with sender org in subject and credential theft indicator
- Link: Self-sent message with quarterly document review request
- Link: Self-sent PDF lure with subject correlation
- Link: SharePoint filename matches org name
- Link: SharePoint files shared from GoDaddy federated tenants
- Link: SharePoint OneNote or PDF link with self sender behavior
- Link: Shortened URL with fragment matching subject
- Link: Single character path with credential theft body and self sender behavior or invalid recipient
- Link: Spam website with evasion indicators
- Link: Squarespace infrastructure abuse
- Link: Suspicious Family fragment parameter with encoded recipient data
- Link: Suspicious file retrieval with recipient targeting
- Link: Suspicious go.php redirect with document lure
- Link: Suspicious Loom HTML file path
- Link: Suspicious SharePoint document name
- Link: Suspicious Sharepoint folder share
- Link: Suspicious URL path with binary character sequence
- Link: Suspicious URL with recipient targeting and special characters
- Link: SVG with embedded recipient data
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: Tycoon2FA phishing kit (non-exhaustive)
- Link: Uncommon SharePoint document type with sender's display name
- Link: Unsolicited email contains link leading to Tycoon URL structure
- Link: Unsolicited email contains link to page containing Tycoon URI structure
- Link: URL fragment with hexadecimal pattern obfuscation
- Link: URL path containing /moni/index
- Link: URL redirecting to blob URL
- Link: URL scheme obfuscation via split HTML anchors
- Link: URL shortener with copy-paste instructions and credential theft language
- Link: Webflow link from unsolicited sender
- Link: WordPress admin targeting with recipient identifier in URL fragment
- Link: WordPress login page with Blogspot Binance scam
- Link: Zoho form link from unsolicited sender
- Lookalike sender domain (untrusted sender)
- Low reputation link to auto-downloaded HTML file with smuggling indicators
- macOS malware: Compiled AppleScript with document double-extension
- Malware: Pikabot delivery via URL auto-download
- MalwareBazaar: Malicious attachment hash (trusted reporters)
- MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
- Mass campaign: Cross Site Scripting (XSS) attempt
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Message traversed multiple onmicrosoft.com tenants
- Microsoft device code phishing
- Microsoft infrastructure abuse with suspicious patterns
- Mismatched links: Free file share with urgent language
- New link domain (<=10d) from untrusted sender
- New sender domain (<=10d) from untrusted sender
- Newly registered sender or reply-to domain with newly registered linked domain
- Non-RFC compliant calendar files from unsolicited sender
- Notion suspicious file share
- Observed IOC: Malicious sender domains
- Observed IOC: Malicious sender email addresses
- Observed IOC: Malicious sender root domains
- Open redirect (go2.aspx) leading to Microsoft credential phishing
- Open redirect: adnxs.com
- Open redirect: agena-smile.com
- Open redirect: amaterasu-for-website-5.com
- Open redirect: api.spently.com
- Open redirect: Artisteer
- Open redirect: artkaderne
- Open Redirect: asemailmgmteu.com
- Open redirect: astroarts.co.jp
- Open redirect: Atdmt
- Open redirect: Avast
- Open redirect: bananaguide.com
- Open redirect: bangkoksync.com
- Open redirect: bestdeals.today
- Open redirect: Bitrix24 URL Path
- Open redirect: BMW USA
- Open redirect: bubblelife.com
- Open redirect: buildingengines.com
- Open redirect: business.google.com website_shared URL Param
- Open redirect: Cartoon Network
- Open redirect: chkc.com.hk
- Open redirect: City of Calgary
- Open redirect: Club-OS
- Open redirect: convertcart.com
- Open redirect: Dell
- Open redirect: designsori.com
- Open redirect: documentmailbox.com
- Open redirect: Doubleclick.net
- Open redirect: eaoko.org
- Open redirect: easycamp.com
- Open redirect: embluemail.com
- Open redirect: emlakarsa
- Open redirect: emp.eduyield.com
- Open redirect: eodcnetworkdirect.com
- Open redirect: events.csiro.au
- Open redirect: ExacTag
- Open redirect: fenc.com
- Open redirect: g7.fr
- Open redirect: giving.lluh.org
- Open redirect: Google Ad Services
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: Google Web Light
- Open redirect: Hakumonkai.org
- Open redirect: HHS
- Open redirect: ijf.org
- Open redirect: Indeed
- Open redirect: IndiaTimes
- Open redirect: isadatalab.com
- Open redirect: k-mil.net
- Open redirect: Klaviyo
- Open redirect: labcluster.com
- Open redirect: LearningApps
- Open redirect: Linkedin
- Open redirect: LinkedIn Redirect
- Open redirect: listing.ca
- Open redirect: magic4media.com
- Open redirect: magiccity.ne.jp
- Open redirect: magneticmarketing.com
- Open redirect: mail.spiceworks.com
- Open redirect: Mailtrack Korea
- Open redirect: marketing.edinburghairport.com
- Open redirect: McGill University
- Open redirect: Medium
- Open redirect: Meta --> YouTube Redirection Chain
- Open redirect: mindmixer.com
- Open redirect: MSN
- Open redirect: museepicassoparis.fr
- Open redirect: Nested Doubleclick.net
- Open redirect: Newegg
- Open redirect: next2.io
- Open redirect: nowlifestyle.com
- Open redirect: obunsha.co.jp
- Open redirect: Panera Bread
- Open redirect: people.anuneo.com
- Open redirect: phoenixartstudio.net
- Open redirect: PIRL San Diego
- Open redirect: plasticsurgery.or.kr
- Open redirect: pmifunds.com
- Open redirect: predictiveresponse.net
- Open redirect: PremierBet
- Open redirect: qrxtech.com
- Open redirect: queue.swytchbike.com
- Open redirect: radiopublic.com
- Open redirect: retailrocket.net
- Open redirect: ringaraja.net
- Open redirect: Samsung
- Open redirect: sciencebuddies.org
- Open redirect: secondstreetapp.com
- Open redirect: Shibboleth SSO Logout Return Parameter
- Open redirect: shoppermeet.net
- Open redirect: shoppingwebapi.didatravel.com
- Open redirect: Signature Travel Network
- Open redirect: Slack
- Open redirect: slubnaglowie.pl
- Open redirect: smartadserver.com
- Open redirect: smore.com
- Open redirect: Snapchat
- Open redirect: social.bigpress.net
- Open redirect: ssg-financial.com
- Open redirect: stats.lib.pdx.edu
- Open redirect: storematch.jp
- Open redirect: Ticketmaster
- Open redirect: TikTok
- Open redirect: tkqlhce.com
- Open redirect: tuttocauzioni.it
- Open redirect: typedrawers.com
- Open redirect: U.S. Antarctic Program Data Center (USAP-DC)
- Open redirect: unitedwaynwvt.org
- Open redirect: ust.hk
- Open redirect: vconfex.com
- Open redirect: VK
- Open redirect: weblinkconnect.com
- Open redirect: whitefox.pl
- Open redirect: Xfinity CMP Redirection to Google AMP
- Open redirect: xfinity.com
- Open redirect: YouTube
- Open redirect: YouTube --> Google Redirection Chain
- Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
- PayPal invoice abuse
- PDF attachment with Google (AE) redirecting to a php or zip file
- PhaaS: Impact Solutions (Impact Vector Suite)
- PHP Mailer with common phishing attachments
- Potential prompt injection attack in body HTML
- Punycode sender domain
- QR code to auto-download of a suspicious file type (unsolicited)
- QR Code with suspicious indicators
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Email address harvesting attempt
- Reconnaissance: Empty message from uncommon sender
- Reconnaissance: Empty subject with mismatched reply-to from new sender
- Reconnaissance: Hotel booking reply-to redirect
- Reconnaissance: Large unknown recipient list
- Reconnaissance: Short generic greeting message
- Recruitee Infrastructure Abuse
- Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Russia return-path TLD (untrusted sender)
- Salesforce infrastructure abuse
- Scam soliciting employer review/rating
- Self-sender with copy/paste instructions and suspicious domains (French/Français)
- Self-sent fake PDF attachment with misleading link
- Sender name contains Active Directory distinguished name
- Sender: IP address in local part
- Sendgrid onmicrosoft.com domain phishing
- Sendgrid voicemail phish
- Service abuse: Adobe Creative Cloud share from an unsolicited sender address
- Service abuse: Adobe legitimate domain with document approval language
- Service abuse: Adobe Sign notification from an unsolicited reply-to address
- Service abuse: Amazon invitation with suspected callback phishing
- Service abuse: Apple TestFlight with suspicious developer reference
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service abuse: AWS SNS callback scam impersonation
- Service abuse: Behance document sharing with suspicious language
- Service Abuse: Box file sharing with credential phishing intent
- Service abuse: Calendly callback scam detection
- Service abuse: Callback phishing via Microsoft Teams invite
- Service abuse: Cisco secure email service with financial request
- Service abuse: Citrix ShareFile impersonation via Outlook plugin
- Service abuse: Demio notifications with suspicious content patterns
- Service abuse: DocSend share from an unsolicited reply-to address
- Service abuse: DocSend share from newly registered domain
- Service abuse: DocuSign notification with suspicious sender or document name
- Service abuse: DocuSign share from an unsolicited reply-to address
- Service abuse: Domains By Proxy sender
- Service abuse: Dropbox Paper with copy-paste instructions
- Service abuse: Dropbox share from an unsolicited reply-to address
- Service abuse: Dropbox share from new domain
- Service abuse: Dropbox share with suspicious sender or document name
- Service abuse: Elastic alerts extortion
- Service Abuse: ExactTarget with suspicious sender indicators
- Service abuse: Facebook business with action required subject
- Service abuse: File sharing impersonation with external SharePoint links
- Service abuse: FlipHTML5 with attachment deception and credential theft language
- Service abuse: Formester with suspicious link behavior
- Service abuse: Free provider with SendGrid routing
- Service abuse: GetAccept callback scam content
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: GoDaddy infrastructure
- Service abuse: Google account notification with links to free file host
- Service abuse: Google application integration redirecting to suspicious hosts
- Service abuse: Google Calendar notification with callback scam language
- Service abuse: Google classroom solicitation
- Service abuse: Google Drive share from an unsolicited reply-to address
- Service abuse: Google Drive share from new reply-to domain
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: Google Groups callback scam
- Service abuse: Google OAuth with suspicious redirect destination
- Service abuse: Google Tag Manager debug cookie clearing with open redirect potential
- Service abuse: HelloSign from an unsolicited sender address
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
- Service abuse: IBM IAM account notification with callback scam indicators
- Service abuse: Linode Objects HTML file hosting
- Service abuse: Meetup.com redirect with brand impersonation
- Service abuse: Microsoft Power Apps callback scam
- Service abuse: Microsoft Power Automate callback scam impersonation
- Service abuse: Microsoft Power BI callback scam
- Service abuse: Microsoft with suspicious indicators in subject
- Service abuse: Mimecast URL with excessive path length
- Service abuse: Monday.com callback scam
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: MongoDB Atlas callback scam
- Service Abuse: Nifty.com with impersonation
- Service abuse: Nylas tracking subdomain with suspicious content
- Service abuse: Payoneer callback scam
- Service abuse: PayPal manager account creation with callback scam indicators
- Service abuse: QuickBooks notification from new domain
- Service abuse: QuickBooks notification with suspicious comments
- Service abuse: Recruiting with suspicious language patterns from legitimate platforms
- Service abuse: Roomsy with unrelated body content
- Service abuse: Sendgrid credential theft with personalized request targeting single recipient
- Service abuse: SendGrid impersonation via Sendgrid from new sender
- Service abuse: SendGrid-formatted link with actor-controlled fragment
- Service abuse: SendThisFile with credential theft and financial language
- Service abuse: Square marketing with suspicious QR code
- Service abuse: Substack credential theft with confusable characters and branded button redirects
- Service abuse: SurveyMonkey survey from newly registered domain
- Service abuse: Suspicious Datadog alert
- Service abuse: Suspicious Zoom Docs link
- Service abuse: Task management message sent via SendGrid
- Service abuse: Trello board invitation with VIP impersonation
- Service abuse: Vimeo with external plain-text links in message
- Service abuse: WeTransfer callback scam
- Service abuse: Wix redirect through bulk mailer domains
- Service Abuse: Zoom with freemail reply-to and recipient address in greeting
- Service abuse: Zoom with newly registered reply-to domain
- Sharepoint file share with suspicious recipients pattern
- Sharepoint link likely unrelated to sender
- Sharepoint online with external recipients and external display name
- SharePoint OTP for filename matching org name
- Spam/fraud: Predatory journal/research paper request
- Spam: Attendee list solicitation
- Spam: BlackBaud infrastructure abuse
- Spam: Campaign with excessive display-text and keywords found
- Spam: Campaign with excessive space/char obfuscation and free file hosted link
- Spam: Commonly observed formatting of unauthorized free giveaways
- Spam: Cryptocurrency airdrop/giveaway
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake dating profile notification
- Spam: Fake photo share
- Spam: Firebase password reset from suspicious sender
- Spam: Ghostwriting services scam with manipulative language
- Spam: Item giveaway spam template
- Spam: Link to blob.core.windows.net from new domain (<30d)
- Spam: Mastercard promotional content with image-based body
- Spam: New job cold outreach from unsolicited sender
- Spam: New link domain (<=10d) and emojis
- Spam: Personalized subject and greetings via Salesforce Marketing Cloud
- Spam: Sendersrv.com with financial communications and unsubscribe language
- Spam: Sexually explicit content with emoji in subject from freemail provider
- Spam: Sexually explicit Google Drive share
- Spam: Sexually explicit Google group invitation
- Spam: Sexually explicit Looker Studio report
- Spam: Single recipient duplicated in cc
- Spam: SMTP & Proxy Communications in Email Body
- Spam: Unsolicited malformed PDF
- Spam: Unsolicited WordPress account creation or password reset request
- Spam: URL shortener with short body content and emojis
- Spam: Website errors solicitation
- SPF temp error
- Spoofable internal domain with suspicious signals
- Stripe invoice abuse
- Subject and sender display name contains matching long alphanumeric string
- Subject: Suspicious bracketed reference
- Suspected cross-site scripting (XSS) found in subject
- Suspected lookalike domain with suspicious language
- Suspected WordPress abuse with cross-site scripting (XSS) indicators
- Suspicious attachment with unscannable Cloudflare link
- Suspicious attachment: Duplicate decoy PDF files
- Suspicious display name: Gmail sender with engaging language
- Suspicious DocuSign share from new domain
- Suspicious invoice reference with missing or image-only attachments
- Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
- Suspicious Links to Cloudflare R2 and Edge Services
- Suspicious mailer received from Gmail servers
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious newly registered reply-to domain with engaging financial or urgent language
- Suspicious Office 365 app authorization (OAuth) link
- Suspicious recipient pattern and language with low reputation link to login
- Suspicious recipients pattern with NLU credential theft indicators
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious sender display name with long procedurally generated text blob
- Suspicious SharePoint file sharing
- Suspicious subject with long procedurally generated text blob
- Suspicious VBA macros from untrusted sender
- Targeting: Specific AOL address
- Tax Form: W-8BEN solicitation
- Truth Social infrastructure abuse via link redirect
- Twitter infrastructure abuse via link shortener
- Unicode QR code
- URI protocol handler: search-ms
- URL with Unicode U+2044 (⁄) or U+2215 (∕) characters
- URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
- Vendor compromise: GovDelivery message with suspicious link
- Vendor impersonation: Thread hijacking with typosquat domain
- Venmo payment request abuse
- VIP / Executive impersonation (strict match, untrusted)
- VIP / Executive impersonation in subject (untrusted)
- VIP Impersonation via Google Group relay with suspicious indicators
- VIP impersonation with BEC language (near match, untrusted sender)
- VIP impersonation with charitable donation fraud
- VIP impersonation with invoicing request
- VIP impersonation with urgent request (strict match, untrusted sender)
- VIP impersonation with w2 request with reply-to mismatch
- VIP impersonation: Fake thread with display name match, email mismatch
- VIP local_part impersonation from unsolicited sender
- X (Twitter) impersonation with credential phishing motives
- Xero infrastructure abuse
- Xero invoice abuse
- Zoom Events newsletter abuse