Detection rules › By event
Sublime-Message-body Event ID 7000001
Sublime MQL (498)
- Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
- Abuse: Robinhood injected content
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Callback phishing solicitation via text-based file
- Attachment: Cold outreach with invitation subject and not attachment
- Attachment: Dropbox image lure with no Dropbox domains in links
- Attachment: Encrypted PDF with credential theft body
- Attachment: Fake secure message and suspicious indicators
- Attachment: Link to Doubleclick.net open redirect
- Attachment: Microsoft 365 credential phishing
- Attachment: PDF bid/proposal lure with credential theft indicators
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
- BEC/Fraud: Romance scam
- BEC/Fraud: Scam lure with freemail pivot
- Body HTML: Comment with 24-character hex token
- Body HTML: Recipient SLD in HTML class
- Body: Embedded email headers indicative of thread hijacking/abuse
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: AliExpress
- Brand impersonation: Aramco
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Capital One
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: Coinbase with suspicious links
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: DoorDash
- Brand impersonation: Dropbox
- Brand impersonation: Enbridge
- Brand impersonation: Evite
- Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
- Brand impersonation: Fake Fax
- Brand impersonation: Figma with malicious document access overlay
- Brand impersonation: File sharing notification with template artifacts
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Google Careers
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google fake sign-in warning
- Brand impersonation: Google Meet with malicious link
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Internal Revenue Service
- Brand impersonation: LastPass
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: MetaMask
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
- Brand impersonation: Microsoft logo or suspicious language with open redirect
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Netflix
- Brand impersonation: Paperless Post
- Brand impersonation: PNC
- Brand impersonation: Proofpoint secure messaging without legitimate indicators
- Brand impersonation: Punchbowl
- Brand impersonation: Purdue ePlanroom with suspicious links
- Brand impersonation: Quickbooks
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand Impersonation: Shein
- Brand impersonation: Social Security Administration
- Brand impersonation: Stripe notification
- Brand impersonation: Trust Wallet
- Brand impersonation: TurboTax
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: ukr[.]net
- Brand impersonation: USPS
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Zoom
- Brand impersonation: Zoom via HTML styling
- Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
- Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
- Business Email Compromise: Request for mobile number via reply thread hijacking
- Callback phishing via Apple ID display name abuse
- Callback phishing via Google Meet
- Canva design with suspicious embedded link
- Catbox.moe link from untrusted source
- ClickFunnels link infrastructure abuse
- Commonly abused sender TLD with engaging language
- Constant Contact link infrastructure abuse
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing link (unknown sender)
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: AWS Lambda URL with recipient targeting
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Engaging language with IPFS link
- Credential phishing: Fake card notification with tracking lure
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Generic document share template
- Credential phishing: Generic document sharing
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Image as content, short or no body contents
- Credential phishing: Onedrive impersonation
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential Phishing: Suspicious language, link, recipients and other indicators
- Credential phishing: Suspicious subject with urgent financial request and link
- Credential phishing: Tax form impersonation with payment request
- Cyrillic vowel substitution in subject or display name from unknown sender
- Cyrillic vowel substitutions with suspicious subject from unknown sender
- Deceptive Dropbox mention
- Display name and subject impersonation using recipient SLD (new sender)
- Display name impersonation using recipient SLD
- DocuSign impersonation via CloudHQ links
- Employee impersonation: Payroll fraud
- Extortion / sextortion (untrusted sender)
- Extortion / sextortion in attachment from untrusted sender
- Fake email quarantine notification
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake scan-to-email message
- Fake shipping notification with link to free file hosting
- Fake shipping notification with suspicious language
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoho Sign template abuse
- Fake Zoom meeting invite with suspicious link
- File sharing link from suspicious sender domain
- File sharing link with a suspicious subject
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Free subdomain link with credential theft indicators
- Free subdomain link with login or captcha (untrusted sender)
- Google Accelerated Mobile Pages (AMP) abuse
- Google Drive abuse: Credential phishing link
- Google Drive direct download link from unsolicited sender
- Google Notification alert link from non-Google sender
- Google presentation open redirect phishing
- Google services using g.co shortlinks
- Headers: Fake in-reply-to with wildcard sender and missing thread context
- Image as content with a link to an open redirect
- Impersonation: Chrome Web Store policy
- Impersonation: Fake Gmail attachment
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Legal firm with copyright infringement notice
- Impersonation: Recipient organization in sender display name with credential theft image
- Impersonation: Salesforce fake campaign failure notification
- Impersonation: Suspected supplier impersonation with suspicious content
- Inline image as message with attachment or link
- Invoicera infrastructure abuse
- Issuu document with suspicious embedded link
- Job scam with specific salary pattern
- Link to a domain with punycode characters
- Link to auto-download of a suspicious file type (unsolicited)
- Link to auto-downloaded disk image in encrypted zip
- Link to auto-downloaded DMG in archive
- Link to auto-downloaded DMG in encrypted zip
- Link to auto-downloaded file with Adobe branding
- Link to auto-downloaded file with Google Drive branding
- Link to Google Apps Script macro (unsolicited)
- Link to Google Apps Script macro via comment tagging
- Link: .onion From Unsolicited Sender
- Link: 9WOLF phishkit initial landing URI
- Link: Abused Adobe Express
- Link: Adobe share from unsolicited sender
- Link: Adobe share with suspicious indicators
- Link: Apple TestFlight from suspicious sender
- Link: Base64 encoded recipient address in URL fragment with hex subdomain
- Link: Base64 encoded recipient address in URL fragment with subject hash
- Link: Blogspot hosting explicit romance content
- Link: Breely link masquerading as PDF
- Link: chatbot.page platform abuse
- Link: Common hidden directory observed
- Link: Commonly Abused Web Service redirecting to ZIP file
- Link: Credential phishing link with undisclosed recipients
- Link: Credential phishing traversing Russian infrastructure
- Link: Credential phishing via WordPress
- Link: Credential theft with invisible Unicode character in page title from unsolicited sender
- Link: Cryptocurrency fraud with suspicious links
- Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
- Link: Direct link to gamma.app document with mode parameter
- Link: Direct link to keap.app contact-us page
- Link: Direct link to limewire hosted file
- Link: Direct link to riddle.com hosted showcase
- Link: Direct link to Zoom Docs from non-Zoom sender
- Link: Direct POWR.io Form Builder with suspicious patterns
- Link: Display text matches subject line
- Link: Display text with excessive right-to-left mark characters
- Link: Executable file download with suspicious message content
- Link: Figma design deck with credential theft language
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: File sharing pretext with suspicious body and link
- Link: Financial account issue with suspicious indicators
- Link: Flagged bit.ly link
- Link: Flare-branded credential harvesting via Cloudflare tunnels
- Link: Free file hosting with undisclosed recipients
- Link: Free subdomain host with undisclosed recipients
- Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
- Link: Google Cloud Storage impersonating with googledrive in URL path
- Link: Google Cloud Storage with suspicious URL pattern
- Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
- Link: Google Translate (unsolicited)
- Link: GoPhish query param values
- Link: Hotel booking spoofed display URL
- Link: HR impersonation with suspicious domain indicators and credential theft
- Link: HTML file with suspicious binary fragment ending pattern
- Link: Intuit link abuse with file share context
- Link: Invoice or receipt from freemail sender with customer service number
- Link: IPFS
- Link: IPv4-mapped IPv6 address obfuscation
- Link: JavaScript obfuscation with Telegram bot integration
- Link: Jensi file preview link from unsolicited sender
- Link: Job recruitment lure from unsolicited sender with suspicious hosting
- Link: Landing page with search-ms protocol redirect
- Link: Mamba 2FA phishing kit
- Link: Microsoft device code authentication with suspicious indicators
- Link: Microsoft Dynamics 365 form phishing
- Link: Microsoft impersonation using hosted png with suspicious link
- Link: Microsoft protected message with matching sender and recipient addresses
- Link: Mixed case HTTPS protocol
- Link: Multistage landing - Abused Adobe Acrobat hosted PDF
- Link: Multistage landing - Abused Adobe frame.io
- Link: Multistage Landing - Abused Buildin.ai
- Link: Multistage landing - Abused Docusign
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - FreshDesk knowledge base abuse
- Link: Multistage landing - JotForm abuse
- Link: Multistage landing - Ludus presentation
- Link: Multistage landing - Microsoft Forms abuse
- Link: Multistage landing - Published Google Doc
- Link: Multistage landing - Scribd document
- Link: Multistage landing - Trello board abuse
- Link: MyActiveCampaign Link Abuse
- Link: Non-standard port 8443 in display URL
- Link: Numeric IP obfuscation in URL
- Link: Obfuscation via userinfo with excessive URL padding
- Link: Obfuscation via userinfo with suspicious indicators
- Link: PDF and financial display text to free file host
- Link: PDF display text with fake copyright claim template
- Link: Personal SharePoint with invalid recipients and credential theft language
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QuickBooks image lure with suspicious link
- Link: Recipient domain in URL path
- Link: Recipient email address in 'eta' parameter
- Link: Referrer anonymization service from untrusted sender
- Link: Remittance payment request with timeline template
- Link: RFI document reference pattern in display text
- Link: Romance/Sexual Language With Suspicious Link
- Link: ScreenConnect installer with suspicious relay domain
- Link: Scribd fullscreen link from suspicious sender
- Link: Secure SharePoint file share from new or unusual sender
- Link: Self-sent PDF lure with subject correlation
- Link: SharePoint files shared from GoDaddy federated tenants
- Link: Spam website with evasion indicators
- Link: Squarespace infrastructure abuse
- Link: Suspicious Family fragment parameter with encoded recipient data
- Link: Suspicious file retrieval with recipient targeting
- Link: Suspicious SharePoint document name
- Link: Suspicious Sharepoint folder share
- Link: Suspicious URL path with binary character sequence
- Link: Suspicious URL with recipient targeting and special characters
- Link: SVG with embedded recipient data
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: Uncommon SharePoint document type with sender's display name
- Link: Unsolicited email contains link leading to Tycoon URL structure
- Link: Unsolicited email contains link to page containing Tycoon URI structure
- Link: URL fragment with hexadecimal pattern obfuscation
- Link: URL redirecting to blob URL
- Link: URL scheme obfuscation via split HTML anchors
- Link: Webflow link from unsolicited sender
- Link: WordPress admin targeting with recipient identifier in URL fragment
- Link: WordPress login page with Blogspot Binance scam
- Link: Zoho form link from unsolicited sender
- Low reputation link to auto-downloaded HTML file with smuggling indicators
- Malformed URL prefix
- Malware: Pikabot delivery via URL auto-download
- Mass campaign: Cross Site Scripting (XSS) attempt
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Microsoft device code phishing
- Mismatched links: Free file share with urgent language
- New link domain (<=10d) from untrusted sender
- Newly registered sender or reply-to domain with newly registered linked domain
- Notion suspicious file share
- Open redirect (go2.aspx) leading to Microsoft credential phishing
- Open redirect: adnxs.com
- Open redirect: agena-smile.com
- Open redirect: amaterasu-for-website-5.com
- Open redirect: api.spently.com
- Open redirect: Artisteer
- Open redirect: artkaderne
- Open Redirect: asemailmgmteu.com
- Open redirect: astroarts.co.jp
- Open redirect: Atdmt
- Open redirect: Avast
- Open redirect: bananaguide.com
- Open redirect: bangkoksync.com
- Open redirect: bestdeals.today
- Open redirect: Bitrix24 URL Path
- Open redirect: BMW USA
- Open redirect: bubblelife.com
- Open redirect: buildingengines.com
- Open redirect: business.google.com website_shared URL Param
- Open redirect: Cartoon Network
- Open redirect: chkc.com.hk
- Open redirect: City of Calgary
- Open redirect: Club-OS
- Open redirect: convertcart.com
- Open redirect: Dell
- Open redirect: designsori.com
- Open redirect: documentmailbox.com
- Open redirect: Doubleclick.net
- Open redirect: eaoko.org
- Open redirect: easycamp.com
- Open redirect: embluemail.com
- Open redirect: emlakarsa
- Open redirect: emp.eduyield.com
- Open redirect: eodcnetworkdirect.com
- Open redirect: events.csiro.au
- Open redirect: ExacTag
- Open redirect: fenc.com
- Open redirect: g7.fr
- Open redirect: giving.lluh.org
- Open redirect: Google Ad Services
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: Google Web Light
- Open redirect: Hakumonkai.org
- Open redirect: HHS
- Open redirect: ijf.org
- Open redirect: Indeed
- Open redirect: IndiaTimes
- Open redirect: isadatalab.com
- Open redirect: k-mil.net
- Open redirect: Klaviyo
- Open redirect: labcluster.com
- Open redirect: LearningApps
- Open redirect: Linkedin
- Open redirect: LinkedIn Redirect
- Open redirect: listing.ca
- Open redirect: magic4media.com
- Open redirect: magiccity.ne.jp
- Open redirect: magneticmarketing.com
- Open redirect: mail.spiceworks.com
- Open redirect: Mailtrack Korea
- Open redirect: marketing.edinburghairport.com
- Open redirect: McGill University
- Open redirect: Medium
- Open redirect: Meta --> YouTube Redirection Chain
- Open redirect: mindmixer.com
- Open redirect: MSN
- Open redirect: museepicassoparis.fr
- Open redirect: Nested Doubleclick.net
- Open redirect: Newegg
- Open redirect: next2.io
- Open redirect: nowlifestyle.com
- Open redirect: obunsha.co.jp
- Open redirect: Panera Bread
- Open redirect: people.anuneo.com
- Open redirect: phoenixartstudio.net
- Open redirect: PIRL San Diego
- Open redirect: plasticsurgery.or.kr
- Open redirect: pmifunds.com
- Open redirect: predictiveresponse.net
- Open redirect: PremierBet
- Open redirect: qrxtech.com
- Open redirect: queue.swytchbike.com
- Open redirect: radiopublic.com
- Open redirect: retailrocket.net
- Open redirect: ringaraja.net
- Open redirect: Samsung
- Open redirect: sciencebuddies.org
- Open redirect: secondstreetapp.com
- Open redirect: Shibboleth SSO Logout Return Parameter
- Open redirect: shoppermeet.net
- Open redirect: shoppingwebapi.didatravel.com
- Open redirect: Signature Travel Network
- Open redirect: Slack
- Open redirect: slubnaglowie.pl
- Open redirect: smartadserver.com
- Open redirect: smore.com
- Open redirect: Snapchat
- Open redirect: social.bigpress.net
- Open redirect: ssg-financial.com
- Open redirect: stats.lib.pdx.edu
- Open redirect: storematch.jp
- Open redirect: Ticketmaster
- Open redirect: TikTok
- Open redirect: tkqlhce.com
- Open redirect: tuttocauzioni.it
- Open redirect: typedrawers.com
- Open redirect: U.S. Antarctic Program Data Center (USAP-DC)
- Open redirect: unitedwaynwvt.org
- Open redirect: ust.hk
- Open redirect: vconfex.com
- Open redirect: VK
- Open redirect: weblinkconnect.com
- Open redirect: whitefox.pl
- Open redirect: Xfinity CMP Redirection to Google AMP
- Open redirect: xfinity.com
- Open redirect: YouTube
- Open redirect: YouTube --> Google Redirection Chain
- PayPal invoice abuse
- PhaaS: Impact Solutions (Impact Vector Suite)
- Potential prompt injection attack in body HTML
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Hotel booking reply-to redirect
- Reconnaissance: Large unknown recipient list
- Reconnaissance: Short generic greeting message
- Recruitee Infrastructure Abuse
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Salesforce infrastructure abuse
- Scam: Piano giveaway
- Service abuse: Adobe Creative Cloud share from an unsolicited sender address
- Service abuse: Amazon invitation with suspected callback phishing
- Service abuse: Apple TestFlight with suspicious developer reference
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service Abuse: Box file sharing with credential phishing intent
- Service abuse: Callback phishing via Microsoft Teams invite
- Service abuse: Facebook business with action required subject
- Service abuse: FlipHTML5 with attachment deception and credential theft language
- Service abuse: Formester with suspicious link behavior
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: GoDaddy infrastructure
- Service abuse: Google account notification with links to free file host
- Service abuse: Google application integration redirecting to suspicious hosts
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: Google OAuth with suspicious redirect destination
- Service abuse: Google Tag Manager debug cookie clearing with open redirect potential
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: Meetup.com redirect with brand impersonation
- Service abuse: Mimecast URL with excessive path length
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: QuickBooks notification with suspicious comments
- Service abuse: Sendgrid credential theft with personalized request targeting single recipient
- Service abuse: SendGrid-formatted link with actor-controlled fragment
- Service abuse: Substack credential theft with confusable characters and branded button redirects
- Service abuse: Suspicious Datadog alert
- Service abuse: Suspicious Zoom Docs link
- Service abuse: Trello board invitation with VIP impersonation
- Service abuse: Wix redirect through bulk mailer domains
- Sharepoint file share with suspicious recipients pattern
- Sharepoint link likely unrelated to sender
- Spam/fraud: Predatory journal/research paper request
- Spam: Attendee list solicitation
- Spam: BlackBaud infrastructure abuse
- Spam: Campaign with excessive display-text and keywords found
- Spam: Campaign with excessive space/char obfuscation and free file hosted link
- Spam: Commonly observed formatting of unauthorized free giveaways
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake dating profile notification
- Spam: Fake photo share
- Spam: Firebase password reset from suspicious sender
- Spam: Link to blob.core.windows.net from new domain (<30d)
- Spam: Mastercard promotional content with image-based body
- Spam: New job cold outreach from unsolicited sender
- Spam: New link domain (<=10d) and emojis
- Spam: Personalized subject and greetings via Salesforce Marketing Cloud
- Spam: Single recipient duplicated in cc
- Spam: SMTP & Proxy Communications in Email Body
- Spam: Unsolicited malformed PDF
- Spam: Unsolicited WordPress account creation or password reset request
- Spam: URL shortener with short body content and emojis
- Spam: Website errors solicitation
- Spoofable internal domain with suspicious signals
- Suspected lookalike domain with suspicious language
- Suspicious attachment: Duplicate decoy PDF files
- Suspicious invoice reference with missing or image-only attachments
- Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
- Suspicious Links to Cloudflare R2 and Edge Services
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious Office 365 app authorization (OAuth) link
- Suspicious recipient pattern and language with low reputation link to login
- Suspicious recipients pattern with NLU credential theft indicators
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious SharePoint file sharing
- Tax Form: W-8BEN solicitation
- Truth Social infrastructure abuse via link redirect
- Twitter infrastructure abuse via link shortener
- URL with Unicode U+2044 (⁄) or U+2215 (∕) characters
- URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
- Vendor compromise: GovDelivery message with suspicious link
- Vendor impersonation: Thread hijacking with typosquat domain
- VIP impersonation with charitable donation fraud
- Xero infrastructure abuse
- Xero invoice abuse
- Zoom Events newsletter abuse