The following rules can be used to detect phishing activity in your organization.
Detect Use of Internationalized Domain Names in HTTP an DNS
This rule scans HTTP and DNS traffic looking for use of International domain names which can contain UTF-16 encoded characters that look like normal letters. This use of IDNs makes it difficult to visually notice that the domain name is not a desired domain.
Detect Potential Phishing
This rule detects email phishing attempts by matching the sender email, the email domain, and the reply-to domain.