Detection

DACH phishing — German waves get caught.

"Account locked — act now", "Tax refund of EUR 1,247 to claim", "DHL parcel could not be delivered". US cloud vendors train their ML models on English phishing mail. We have German, Austrian and Swiss phishing patterns as a dedicated detection layer.

Which patterns we catch

Phishing follows regional patterns. In Germany, Austria and Switzerland the tropes differ from the US or UK — different brands, different agencies, different payment pretexts. MailGuard ships with its own keyword list that operators can extend:

Banking & payment

  • Sparkasse / Volksbank / Postbank / Commerzbank / DKB account suspension
  • "TAN procedure being changed", "update pushTAN", "security app"
  • PayPal account confirm / restrict
  • Klarna payment authorisation / outstanding invoice
  • SEPA direct-debit mandate renewal

Government & public sector

  • Tax-office refund (Finanzamt)
  • GEZ / ARD ZDF Deutschlandradio licence fee
  • BaFin / Bundesbank notices
  • Federal central tax office (Bundeszentralamt für Steuern)
  • BMWK / Federal-ministry communications

Logistics & e-commerce

  • DHL / Hermes / DPD / GLS parcel delivery failed
  • Amazon order confirmation / refund / invoice
  • Customs duties to be paid
  • Apple ID locked / Apple Pay confirmation
  • Microsoft 365 licence renewal / authentication

Telcos & providers

  • Telekom / Vodafone / O2 invoice / contract auto-renewal
  • Strato / IONOS domain expiry / server migration
  • 1&1 tariff change

Plus the equivalents for Austria (Erste Bank, BAWAG, FinanzOnline, Post.at) and Switzerland (PostFinance, Raiffeisen, Swisscom).

How the detection works

The subject line and mail body are matched against the keyword list. A hit raises the spam score; multiple hits combined with other indicators (suspicious sender domain, suspicious TLD, URL shortener in the body, missing DKIM) push the mail into quarantine. The score contribution per keyword is conservative — a single "Klarna" in a legitimate order confirmation does not block.

Add your own patterns

The operator maintains custom keyword lists per domain in the admin UI. If you face a targeted phishing wave against your own company (CEO-fraud attempt with firm-specific terms), you can add it as a detection rule without waiting for the vendor. The default list is kept up to date with every update — your custom patterns survive updates.

Why US cloud models miss this

Mimecast, Proofpoint and Microsoft Defender for O365 train their classifiers on a global mail corpus that is >80 % English. German phishing waves register as statistical noise. Concrete examples from the recent past:

  • 2024-Q3: a wave of "Federal Ministry of Finance — claim your EUR 300 energy-price flat-rate" mail — Microsoft 365 EOP didn't catch it for six weeks
  • 2025-Q1: "Sparkasse mail with pushTAN security update" — Hornetsecurity caught the wave only after operator reports came in from its channel network
  • 2025-Q2: "GEZ refund following a hardship claim" — Proofpoint heuristics classified it as "Government legitimate"

A German detection layer catches these waves from day one.

Catch DACH phishing before staff click.

Default keyword list plus operator-maintained extensions per tenant.

See pricing