Detection rules › By event
Sublime-Message-body Event ID 7000003
Sublime MQL (109)
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- Anthropic Magic String in HTML
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Callback phishing solicitation via pdf file
- Attachment: EML file contains HTML attachment with login portal indicators
- Attachment: EML file with HTML attachment (unsolicited)
- Attachment: EML with link to credential phishing page
- Attachment: EML with Sharepoint link likely unrelated to sender
- Attachment: EML with suspicious indicators
- Attachment: Fake attachment image lure
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Student loan callback phishing
- Body HTML: Comment with 24-character hex token
- Body: Embedded email headers indicative of thread hijacking/abuse
- Body: HTML whitespace stuffing with short initial message
- Body: Yellow highlighted text markers
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Capital One
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: DocuSign
- Brand impersonation: Evite
- Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
- Brand impersonation: Fake Fax
- Brand impersonation: File sharing notification with template artifacts
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Mailgun
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Paperless Post
- Brand impersonation: Punchbowl
- Brand impersonation: QuickBooks notification from Intuit themed company name
- Brand impersonation: Robinhood
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: UK government Home Office
- Brand impersonation: UPS
- Brand impersonation: USPS
- Brand impersonation: Wells Fargo
- Brand impersonation: Zoom
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing via Intuit service abuse
- Callback phishing via Zelle Service Abuse
- Callback phishing: AOL senders with suspicious HTML template or PDF attachment
- Callback phishing: SumUp infrastructure abuse
- Canva infrastructure abuse
- Credential phishing link (unknown sender)
- Credential phishing: Engaging language with IPFS link
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential Phishing: W-2 lure with inline SVG Windows logo
- Credential theft: Gophish abuse with hidden tracking image
- CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
- Deceptive Dropbox mention
- EML attachment with credential theft language (unknown sender)
- Extortion / sextortion (untrusted sender)
- Fake message thread - Untrusted sender with a mismatched freemail reply-to address
- Fake shipping notification with link to free file hosting
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoho Sign template abuse
- Google share notification with suspicious comments
- HTML content with print styling and credential theft language
- HTML smuggling with atob in message body
- Image as content with a link to an open redirect
- Impersonation: Chrome Web Store policy
- Impersonation: Fake Gmail attachment
- Impersonation: SharePoint reply header anomaly
- Inline image as message with attachment or link
- Link: Adobe share with suspicious indicators
- Link: Credential harvesting with excess padding evasion
- Link: Microsoft impersonation using hosted png with suspicious link
- Link: Self-sender with sender org in subject and credential theft indicator
- Link: Suspicious SharePoint document name
- Link: Zoho form link from unsolicited sender
- Microsoft device code phishing
- Open redirect (go2.aspx) leading to Microsoft credential phishing
- Open Redirect: Google domain with /url path and suspicious indicators
- Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
- PayPal invoice abuse
- QR Code with suspicious indicators
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Empty message from uncommon sender
- Self-sent fake PDF attachment with misleading link
- Service abuse: Google classroom solicitation
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: HelloSign from an unsolicited sender address
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
- Service abuse: Payoneer callback scam
- Service abuse: QuickBooks notification with suspicious comments
- Sharepoint link likely unrelated to sender
- Spam/fraud: Predatory journal/research paper request
- Spam: Attendee list solicitation
- Spam: Campaign with excessive space/char obfuscation and free file hosted link
- Spam: Fake photo share
- Spam: Item giveaway spam template
- Spam: Unsolicited WordPress account creation or password reset request
- Spam: Website errors solicitation
- Suspicious invoice reference with missing or image-only attachments
- Unicode QR code
- Venmo payment request abuse
- VIP impersonation with charitable donation fraud
- VIP impersonation: Fake thread with display name match, email mismatch