Fake legal hold / eDiscovery notice lure — "You are subject to a legal hold / litigation hold / eDiscovery preservation order — take immediate action to preserve all records or face spoliation sanctions." Cold inbound email from an unknown domain with legal-hold language + urgency + off-brand link is a phishing tell. Real legal hold notices come from in-house counsel on internal company email or from known outside counsel domains, never as cold inbound email with a link to an unknown portal. SACRED: engine protects legitimate legal hold / litigation hold / ediscovery notices via safety-keywords guard. Source: GC1 R16.

Fake legal hold / eDiscovery / litigation hold preservation notice from an unknown sender with urgency + off-brand link. Legal hold notices instruct employees to preserve all documents, emails, and records relevant to anticipated or active litigation. In legitimate corporate practice, legal holds come from in-house counsel on internal company email or from known outside counsel domains — never as cold inbound email from an unknown domain with a link to an external portal. Attackers exploit legal-hold language because (1) the framing implies serious legal consequences (spoliation sanctions, contempt), (2) employees feel compelled to click and comply immediately, and (3) the language is unfamiliar enough to seem credibly official. SACRED: engine protects legitimate legal hold / litigation hold / ediscovery keywords via safety-keywords guard. Signal fires when: (1) legal hold / litigation hold / eDiscovery / preservation order language AND (2) urgency (immediately, sanctions, contempt) AND (3) href NOT on uscourts.gov / justice.gov / dom.se / .gov AND (4) no In-Reply-To AND (5) no List-Unsubscribe. Source: GC1 R16; FBI IC3 BEC advisory 2024.