Warning Flag Title

Description

Suspicious Link(s)

The email content is unusual due to one or more of the following:

Message body contains a link to a recently created website (domain*), which is a common practice associated with cyber attacks.

Message body contains a shortened link that redirects to a potentially malicious website.

Message content is asking the recipient to click on a suspicious link and/or attachment.

Message contains suspicious link(s) that include email address(es), which is a common pattern in credential theft attacks.

Message contains a link that resembles a legitimate URL* but actually links to a malicious website.

Link(s) Detected in Attachment

The email attachment contains a link to an external website that may be malicious.

Redirect Link(s) Detected

The original link in the email appears to redirect to a malicious website.

Link(s) detected in cloud-sharing document

A link appears to be a cloud-sharing document that contains an embedded link to an external site.

Unusual Sender

The email exhibits suspicious sending behavior:

Sender's email signature (display name/email address) appears to match a member of the University and email may be asking the recipient to engage in an unsafe action.

Sender's display name is attempting to impersonate University leadership.

Sender's email signature (display name/email address) falsely matches/resembles/is associated with a known brand or a known vendor.

Sender has never sent email from this email address. They usually send from a different email address.

Recipient has never received email from the sender's email address.

Sender uses suspicious language.

Sender's account recently showed signs of suspicious activity.

Sender has never used this email address before or has never sent email to our organization.

Sender's email address does not match the sender's display name (a common pattern in impersonation attempts).

Sender's email is coming from an unvalidated source, a pattern commonly observed in email attacks. 

Sender's email was sent from an IP address* that is suspicious. 

Unusual IP* Geolocation

The email sender's IP address* indicates a combination of:

• Recipient has never received email from this country
• Email rarely originates from this country
• Many email attacks originate from this country
• Many email attacks originate from this IP address*

Potential Spoof

Email source validation fails even though email is sent from a legitimate company domain*. Email account is potentially spoofed.

Invisible Character(s) Found in Email

The email body contains invisible characters (a common pattern observed in email attacks).

Abnormal Recipient Pattern

All email recipients were BCC'd, which is a common pattern when attackers send attacks to many recipients.

Suspicious Attachment

The attachment's extension type is suspicious and is potentially malware.

Unusual Sender Domain*

The email's sender domain* is suspicious:

The sender's domain* is new and was registered less than one year before the email was sent.

The sender's domain* does not match any domains* found in message links.

Unusual Reply To

The “reply to” address exhibits suspicious patterns:

When hitting the “reply to” button, the address displayed is different from the sender’s address.

When hitting the “reply to” button, the domain* address displayed is different from the domain* address in any links in the message.

Potential Gift Card Fraud

The email subject/body contains language commonly found in gift card fraud attacks.

Potential Payroll Fraud

The email subject/body contains language commonly found in payroll fraud attacks.

Suspicious Fax or Voicemail Notification

The message resembles a fax or voicemail notification with malicious content (a method commonly used in email attacks).

Bitcoin Topics

The message contains bitcoin phrases commonly found in bitcoin extortion attacks.