Detection rules › By event
Sublime-Message-body Event ID 7000005
Sublime MQL (420)
- Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Callback phishing solicitation via text-based file
- Attachment: Dropbox image lure with no Dropbox domains in links
- Attachment: Fake secure message and suspicious indicators
- Attachment: Microsoft 365 credential phishing
- Attachment: PDF bid/proposal lure with credential theft indicators
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Romance scam
- BEC/Fraud: Scam lure with freemail pivot
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: AliExpress
- Brand impersonation: Aramco
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Capital One
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: Coinbase with suspicious links
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: DoorDash
- Brand impersonation: Dropbox
- Brand impersonation: Enbridge
- Brand impersonation: Evite
- Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
- Brand impersonation: Fake Fax
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Google Careers
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google fake sign-in warning
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: LastPass
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft logo or suspicious language with open redirect
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Paperless Post
- Brand impersonation: Proofpoint secure messaging without legitimate indicators
- Brand impersonation: Purdue ePlanroom with suspicious links
- Brand impersonation: Quickbooks
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand Impersonation: Shein
- Brand impersonation: Social Security Administration
- Brand impersonation: Stripe notification
- Brand impersonation: TurboTax
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: ukr[.]net
- Brand impersonation: USPS
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Zoom
- Callback phishing via Google Meet
- Canva design with suspicious embedded link
- Catbox.moe link from untrusted source
- ClickFunnels link infrastructure abuse
- Commonly abused sender TLD with engaging language
- Constant Contact link infrastructure abuse
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: AWS Lambda URL with recipient targeting
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake card notification with tracking lure
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Generic document share template
- Credential phishing: Generic document sharing
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Onedrive impersonation
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential Phishing: Suspicious language, link, recipients and other indicators
- Credential phishing: Suspicious subject with urgent financial request and link
- Credential phishing: Tax form impersonation with payment request
- Deceptive Dropbox mention
- Display name and subject impersonation using recipient SLD (new sender)
- Display name impersonation using recipient SLD
- DocuSign impersonation via CloudHQ links
- Extortion / sextortion (untrusted sender)
- Extortion / sextortion in attachment from untrusted sender
- Fake email quarantine notification
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake scan-to-email message
- Fake shipping notification with link to free file hosting
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoho Sign template abuse
- Fake Zoom meeting invite with suspicious link
- File sharing link from suspicious sender domain
- File sharing link with a suspicious subject
- Free subdomain link with credential theft indicators
- Free subdomain link with login or captcha (untrusted sender)
- Google Accelerated Mobile Pages (AMP) abuse
- Google Drive abuse: Credential phishing link
- Google Drive direct download link from unsolicited sender
- Google Notification alert link from non-Google sender
- Google presentation open redirect phishing
- Google services using g.co shortlinks
- Image as content with a link to an open redirect
- Impersonation: Chrome Web Store policy
- Impersonation: Fake Gmail attachment
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Salesforce fake campaign failure notification
- Impersonation: Suspected supplier impersonation with suspicious content
- Inline image as message with attachment or link
- Invoicera infrastructure abuse
- Issuu document with suspicious embedded link
- Link to a domain with punycode characters
- Link to auto-download of a suspicious file type (unsolicited)
- Link to auto-downloaded file with Google Drive branding
- Link to Google Apps Script macro (unsolicited)
- Link to Google Apps Script macro via comment tagging
- Link: .onion From Unsolicited Sender
- Link: 9WOLF phishkit initial landing URI
- Link: Abused Adobe Express
- Link: Adobe share from unsolicited sender
- Link: Adobe share with suspicious indicators
- Link: Apple TestFlight from suspicious sender
- Link: Base64 encoded recipient address in URL fragment with hex subdomain
- Link: Base64 encoded recipient address in URL fragment with subject hash
- Link: Blogspot hosting explicit romance content
- Link: Breely link masquerading as PDF
- Link: chatbot.page platform abuse
- Link: Common hidden directory observed
- Link: Commonly Abused Web Service redirecting to ZIP file
- Link: Credential phishing via WordPress
- Link: Cryptocurrency fraud with suspicious links
- Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
- Link: Direct link to gamma.app document with mode parameter
- Link: Direct link to keap.app contact-us page
- Link: Direct link to limewire hosted file
- Link: Direct link to riddle.com hosted showcase
- Link: Direct link to Zoom Docs from non-Zoom sender
- Link: Direct POWR.io Form Builder with suspicious patterns
- Link: Display text matches subject line
- Link: Executable file download with suspicious message content
- Link: Figma design deck with credential theft language
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: File sharing pretext with suspicious body and link
- Link: Financial account issue with suspicious indicators
- Link: Flagged bit.ly link
- Link: Flare-branded credential harvesting via Cloudflare tunnels
- Link: Free subdomain host with undisclosed recipients
- Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
- Link: Google Cloud Storage impersonating with googledrive in URL path
- Link: Google Cloud Storage with suspicious URL pattern
- Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
- Link: Google Translate (unsolicited)
- Link: GoPhish query param values
- Link: Hotel booking spoofed display URL
- Link: HR impersonation with suspicious domain indicators and credential theft
- Link: HTML file with suspicious binary fragment ending pattern
- Link: Intuit link abuse with file share context
- Link: Invoice or receipt from freemail sender with customer service number
- Link: IPFS
- Link: IPv4-mapped IPv6 address obfuscation
- Link: Jensi file preview link from unsolicited sender
- Link: Job recruitment lure from unsolicited sender with suspicious hosting
- Link: Landing page with search-ms protocol redirect
- Link: Microsoft Dynamics 365 form phishing
- Link: Microsoft impersonation using hosted png with suspicious link
- Link: Microsoft protected message with matching sender and recipient addresses
- Link: Mixed case HTTPS protocol
- Link: Multistage landing - Abused Adobe Acrobat hosted PDF
- Link: Multistage landing - Abused Adobe frame.io
- Link: Multistage Landing - Abused Buildin.ai
- Link: Multistage landing - Abused Docusign
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - FreshDesk knowledge base abuse
- Link: Multistage landing - JotForm abuse
- Link: Multistage landing - Ludus presentation
- Link: Multistage landing - Microsoft Forms abuse
- Link: Multistage landing - Published Google Doc
- Link: Multistage landing - Scribd document
- Link: Multistage landing - Trello board abuse
- Link: MyActiveCampaign Link Abuse
- Link: Non-standard port 8443 in display URL
- Link: Numeric IP obfuscation in URL
- Link: Obfuscation via userinfo with excessive URL padding
- Link: Obfuscation via userinfo with suspicious indicators
- Link: PDF and financial display text to free file host
- Link: Personal SharePoint with invalid recipients and credential theft language
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QuickBooks image lure with suspicious link
- Link: Recipient domain in URL path
- Link: Recipient email address in 'eta' parameter
- Link: Referrer anonymization service from untrusted sender
- Link: Remittance payment request with timeline template
- Link: Romance/Sexual Language With Suspicious Link
- Link: ScreenConnect installer with suspicious relay domain
- Link: Scribd fullscreen link from suspicious sender
- Link: Secure SharePoint file share from new or unusual sender
- Link: SharePoint files shared from GoDaddy federated tenants
- Link: Spam website with evasion indicators
- Link: Squarespace infrastructure abuse
- Link: Suspicious Family fragment parameter with encoded recipient data
- Link: Suspicious file retrieval with recipient targeting
- Link: Suspicious SharePoint document name
- Link: Suspicious Sharepoint folder share
- Link: Suspicious URL path with binary character sequence
- Link: Suspicious URL with recipient targeting and special characters
- Link: SVG with embedded recipient data
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: Uncommon SharePoint document type with sender's display name
- Link: Unsolicited email contains link to page containing Tycoon URI structure
- Link: URL fragment with hexadecimal pattern obfuscation
- Link: Webflow link from unsolicited sender
- Link: WordPress admin targeting with recipient identifier in URL fragment
- Link: WordPress login page with Blogspot Binance scam
- Link: Zoho form link from unsolicited sender
- Low reputation link to auto-downloaded HTML file with smuggling indicators
- Malformed URL prefix
- Malware: Pikabot delivery via URL auto-download
- Mass campaign: Cross Site Scripting (XSS) attempt
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Microsoft device code phishing
- Mismatched links: Free file share with urgent language
- New link domain (<=10d) from untrusted sender
- Newly registered sender or reply-to domain with newly registered linked domain
- Notion suspicious file share
- Open redirect (go2.aspx) leading to Microsoft credential phishing
- Open redirect: adnxs.com
- Open redirect: agena-smile.com
- Open redirect: amaterasu-for-website-5.com
- Open redirect: api.spently.com
- Open redirect: Artisteer
- Open redirect: artkaderne
- Open Redirect: asemailmgmteu.com
- Open redirect: astroarts.co.jp
- Open redirect: Atdmt
- Open redirect: Avast
- Open redirect: bananaguide.com
- Open redirect: bangkoksync.com
- Open redirect: bestdeals.today
- Open redirect: Bitrix24 URL Path
- Open redirect: BMW USA
- Open redirect: bubblelife.com
- Open redirect: buildingengines.com
- Open redirect: business.google.com website_shared URL Param
- Open redirect: Cartoon Network
- Open redirect: chkc.com.hk
- Open redirect: City of Calgary
- Open redirect: Club-OS
- Open redirect: convertcart.com
- Open redirect: Dell
- Open redirect: designsori.com
- Open redirect: documentmailbox.com
- Open redirect: Doubleclick.net
- Open redirect: eaoko.org
- Open redirect: easycamp.com
- Open redirect: embluemail.com
- Open redirect: emlakarsa
- Open redirect: emp.eduyield.com
- Open redirect: eodcnetworkdirect.com
- Open redirect: events.csiro.au
- Open redirect: ExacTag
- Open redirect: fenc.com
- Open redirect: g7.fr
- Open redirect: giving.lluh.org
- Open redirect: Google Ad Services
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: Google Web Light
- Open redirect: Hakumonkai.org
- Open redirect: HHS
- Open redirect: ijf.org
- Open redirect: Indeed
- Open redirect: IndiaTimes
- Open redirect: isadatalab.com
- Open redirect: k-mil.net
- Open redirect: Klaviyo
- Open redirect: labcluster.com
- Open redirect: LearningApps
- Open redirect: Linkedin
- Open redirect: LinkedIn Redirect
- Open redirect: listing.ca
- Open redirect: magic4media.com
- Open redirect: magiccity.ne.jp
- Open redirect: magneticmarketing.com
- Open redirect: mail.spiceworks.com
- Open redirect: Mailtrack Korea
- Open redirect: marketing.edinburghairport.com
- Open redirect: McGill University
- Open redirect: Medium
- Open redirect: Meta --> YouTube Redirection Chain
- Open redirect: mindmixer.com
- Open redirect: MSN
- Open redirect: museepicassoparis.fr
- Open redirect: Nested Doubleclick.net
- Open redirect: Newegg
- Open redirect: next2.io
- Open redirect: nowlifestyle.com
- Open redirect: obunsha.co.jp
- Open redirect: Panera Bread
- Open redirect: people.anuneo.com
- Open redirect: phoenixartstudio.net
- Open redirect: PIRL San Diego
- Open redirect: plasticsurgery.or.kr
- Open redirect: pmifunds.com
- Open redirect: predictiveresponse.net
- Open redirect: PremierBet
- Open redirect: qrxtech.com
- Open redirect: queue.swytchbike.com
- Open redirect: radiopublic.com
- Open redirect: retailrocket.net
- Open redirect: ringaraja.net
- Open redirect: Samsung
- Open redirect: sciencebuddies.org
- Open redirect: secondstreetapp.com
- Open redirect: Shibboleth SSO Logout Return Parameter
- Open redirect: shoppermeet.net
- Open redirect: shoppingwebapi.didatravel.com
- Open redirect: Signature Travel Network
- Open redirect: Slack
- Open redirect: slubnaglowie.pl
- Open redirect: smartadserver.com
- Open redirect: smore.com
- Open redirect: Snapchat
- Open redirect: social.bigpress.net
- Open redirect: ssg-financial.com
- Open redirect: stats.lib.pdx.edu
- Open redirect: storematch.jp
- Open redirect: Ticketmaster
- Open redirect: TikTok
- Open redirect: tkqlhce.com
- Open redirect: tuttocauzioni.it
- Open redirect: typedrawers.com
- Open redirect: U.S. Antarctic Program Data Center (USAP-DC)
- Open redirect: unitedwaynwvt.org
- Open redirect: ust.hk
- Open redirect: vconfex.com
- Open redirect: VK
- Open redirect: weblinkconnect.com
- Open redirect: whitefox.pl
- Open redirect: Xfinity CMP Redirection to Google AMP
- Open redirect: xfinity.com
- Open redirect: YouTube
- Open redirect: YouTube --> Google Redirection Chain
- PhaaS: Impact Solutions (Impact Vector Suite)
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Large unknown recipient list
- Recruitee Infrastructure Abuse
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Salesforce infrastructure abuse
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service Abuse: Box file sharing with credential phishing intent
- Service abuse: Callback phishing via Microsoft Teams invite
- Service abuse: Facebook business with action required subject
- Service abuse: FlipHTML5 with attachment deception and credential theft language
- Service abuse: Formester with suspicious link behavior
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: GoDaddy infrastructure
- Service abuse: Google account notification with links to free file host
- Service abuse: Google application integration redirecting to suspicious hosts
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: Google OAuth with suspicious redirect destination
- Service abuse: Google Tag Manager debug cookie clearing with open redirect potential
- Service abuse: Meetup.com redirect with brand impersonation
- Service abuse: Mimecast URL with excessive path length
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: Sendgrid credential theft with personalized request targeting single recipient
- Service abuse: SendGrid-formatted link with actor-controlled fragment
- Service abuse: Suspicious Datadog alert
- Service abuse: Suspicious Zoom Docs link
- Service abuse: Wix redirect through bulk mailer domains
- Sharepoint file share with suspicious recipients pattern
- Sharepoint link likely unrelated to sender
- Spam/fraud: Predatory journal/research paper request
- Spam: Attendee list solicitation
- Spam: BlackBaud infrastructure abuse
- Spam: Campaign with excessive display-text and keywords found
- Spam: Campaign with excessive space/char obfuscation and free file hosted link
- Spam: Commonly observed formatting of unauthorized free giveaways
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake dating profile notification
- Spam: Fake photo share
- Spam: Firebase password reset from suspicious sender
- Spam: Link to blob.core.windows.net from new domain (<30d)
- Spam: New job cold outreach from unsolicited sender
- Spam: New link domain (<=10d) and emojis
- Spam: Single recipient duplicated in cc
- Spam: Unsolicited malformed PDF
- Spam: Unsolicited WordPress account creation or password reset request
- Spam: URL shortener with short body content and emojis
- Spam: Website errors solicitation
- Spoofable internal domain with suspicious signals
- Suspected lookalike domain with suspicious language
- Suspicious invoice reference with missing or image-only attachments
- Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
- Suspicious Links to Cloudflare R2 and Edge Services
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious recipient pattern and language with low reputation link to login
- Suspicious recipients pattern with NLU credential theft indicators
- Suspicious request for financial information
- Suspicious SharePoint file sharing
- Tax Form: W-8BEN solicitation
- Truth Social infrastructure abuse via link redirect
- Twitter infrastructure abuse via link shortener
- URL with Unicode U+2044 (⁄) or U+2215 (∕) characters
- URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
- Vendor compromise: GovDelivery message with suspicious link
- Xero infrastructure abuse
- Xero invoice abuse