
Summary
Detects inbound messages that reference invoices, payment releases, and procedural timelines and contain links intended to direct recipients to financial documents. The rule enforces a modest link count (<=40) and requires time-based cues such as a release date (will be released on a specific Monday/Tuesday... with a month and day) or a short day-count phrase. It flags messages whose link text or metadata suggests viewing or accessing a payment/statement/document, or where a Natural Language Understanding (NLU) topic indicates a high-confidence "Request to View Invoice". The rule widens its net with host/domain heuristics: suspicious links hosted on known free file hosts, unusual TLDs, self-service creation platforms, or domains not found in standard top-level trust lists; it also flags potential open redirects via query parameters. A bait-and-switch CTA pattern (e.g., a message clipping notice plus a prompt to view the entire message) is considered suspicious. It excludes known legitimate org domains and requires the URL domain to be valid. Sender behavior is evaluated: either a single recipient equal to the sender, or no/invalid recipients present. The rule targets BEC and credential phishing via invoice-related lure documents and uses a combination of content analysis, NLU topic matching, header analysis, and sender analysis to detect exploit attempts while reducing false positives from legitimate communications.
Categories
- Web
- Endpoint
Data Sources
- Network Traffic
- Web Credential
- Process
- File
Created: 2026-07-11