
Summary
This rule detects credential phishing attempts that impersonate an IT department alert about mailbox storage. It triggers on inbound emails whose body contains the phrase MAILBOX STORAGE ALERT. It further requires the HTML content to present a phishing page with five anchor links: Clean Inbox, Storage Guide, Empty Deleted Items, Clean Mailbox Now, and Contact IT Support. Additionally, it checks for historical context in prior threads indicating IT Department and a phone extension (call ext. 5555) to reinforce impersonation. The combined signals indicate a social-engineering attempt designed to induce the user to take actions or disclose credentials. The rule relies on content analysis of the email body and HTML links to identify the deception and corroborating cues from prior threads. Potential false positives may arise from legitimate IT notifications containing similar phrasing or link sets, so correlation with user behavior and sender reputation is advisable.
Categories
- Network
- Endpoint
- Web
- Application
- Other
Data Sources
- Network Traffic
- Application Log
Created: 2026-07-08