The following rules can be used to detect phishing activity in your organization.
Detect Use of Internationalized Domain Names in HTTP an DNS
Rule | Flow_IDN.lrl |
Description | This rule scans HTTP and DNS traffic looking for use of International domain names which can contain UTF-16 encoded characters that look like normal letters. This use of IDNs makes it difficult to visually notice that the domain name is not a desired domain. |
Detect Potential Phishing
Rule | Flow_SMTPDomainMismatch.lrl |
Description | This rule detects email phishing attempts by matching the sender email, the email domain, and the reply-to domain. |