Detection rules › By event
Sublime-Message-headers Event ID 7000008
Sublime MQL (259)
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- AnonymousFox indicators
- Attachment with auto-executing macro (unsolicited)
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Calendar invite with suspicious link leading to an open redirect
- Attachment: Callback phishing solicitation via image file
- Attachment: Callback phishing solicitation via pdf file
- Attachment: Callback phishing solicitation via text-based file
- Attachment: DocuSign impersonation via PDF linking to new domain
- Attachment: EML file contains HTML attachment with login portal indicators
- Attachment: EML file with HTML attachment (unsolicited)
- Attachment: EML with link to credential phishing page
- Attachment: EML with Sharepoint link likely unrelated to sender
- Attachment: Encrypted PDF with credential theft body
- Attachment: Fake attachment image lure
- Attachment: Fake secure message and suspicious indicators
- Attachment: Legal themed message or PDF with suspicious indicators
- Attachment: Microsoft 365 credential phishing
- Attachment: Microsoft impersonation via PDF with link and suspicious language
- Attachment: Office document with VSTO add-in
- Attachment: PDF proposal with credential theft indicators
- Attachment: PDF with credential theft language and invalid reply-to domain
- Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
- BEC with unusual reply-to or return-path mismatch
- BEC/Fraud: Generic scam attempt to undisclosed recipients
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Penpal scam
- BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
- Benefits enrollment impersonation
- Body HTML: Recipient SLD in HTML class
- Body: Embedded email headers indicative of thread hijacking/abuse
- Body: HTML whitespace stuffing with short initial message
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: AliExpress
- Brand impersonation: Amazon
- Brand impersonation: Aquent
- Brand impersonation: Aramco
- Brand impersonation: Booking.com
- Brand impersonation: Box file sharing service
- Brand impersonation: Capital One
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: DHL
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: Dropbox
- Brand impersonation: Enbridge
- Brand impersonation: Evite
- Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Github
- Brand Impersonation: Google (QR Code)
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Internal Revenue Service
- Brand impersonation: LinkedIn
- Brand impersonation: Mailchimp
- Brand impersonation: Mailgun
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
- Brand impersonation: Microsoft logo or suspicious language with open redirect
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Morgan Stanley
- Brand impersonation: Norton
- Brand impersonation: Okta
- Brand impersonation: Paperless Post
- Brand impersonation: PNC
- Brand Impersonation: Procore
- Brand impersonation: QuickBooks notification from Intuit themed company name
- Brand impersonation: Robert Half
- Brand impersonation: Robinhood
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand impersonation: Social Security Administration
- Brand Impersonation: Stripe
- Brand impersonation: TikTok
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: USPS
- Brand impersonation: Wix
- Brand impersonation: Zoom
- Brand spoof: Dropbox
- Business Email Compromise (BEC) attempt from unsolicited sender
- Business Email Compromise (BEC) attempt from untrusted sender
- Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
- Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
- Business Email Compromise (BEC) with request for mobile number
- Business Email Compromise: Request for mobile number via reply thread hijacking
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing solicitation in message body
- Callback phishing via e-signature service
- Callback phishing via Intuit service abuse
- Callback phishing: AOL senders with suspicious HTML template or PDF attachment
- Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
- ClickFunnels link infrastructure abuse
- Compensation review with QR code in attached EML
- Constant Contact link infrastructure abuse
- COVID-19 themed fraud with sender and reply-to mismatch or compensation award
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing link (unknown sender)
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Onedrive impersonation
- Credential phishing: Suspicious e-sign agreement document notification
- Credential phishing: Suspicious subject with urgent financial request and link
- Cyrillic vowel substitution in subject or display name from unknown sender
- Cyrillic vowel substitutions with suspicious subject from unknown sender
- Domain impersonation: Freemail reply-to local lookalike with financial request
- EML attachment with credential theft language (unknown sender)
- Employee impersonation: Payroll fraud
- Encrypted Microsoft Office files from untrusted sender
- Extortion / sextortion (untrusted sender)
- Extortion / sextortion in attachment from untrusted sender
- Fake email quarantine notification
- Fake message thread - Untrusted sender with a mismatched freemail reply-to address
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoom meeting invite with suspicious link
- Fraudulent e-commerce operators
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Free email provider sender with mismatched provider reply-to
- Generic service abuse from newly registered domain
- Google share notification with suspicious comments
- Hardbacon infrastructure abuse
- Headers: Fake in-reply-to with wildcard sender and missing thread context
- Headers: Invalid recipient domain with mismatched reply-to from new sender
- Headers: iOS/iPadOS mailer with invalid build number
- Headers: Outlook Express mailer
- Headers: risky-recover-production message ID
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Headers: X-Source-Auth mismatch with mismatched reply-to domain
- Headers: Zimbra mailer from a non-supported OS version
- Honorific greeting BEC attempt with sender and reply-to mismatch
- HR impersonation via e-sign agreement comment
- HTML smuggling containing recipient email address
- Impersonation: Employee using fabricated identity in initial contact
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: SharePoint reply header anomaly
- Impersonation: Suspected supplier impersonation with suspicious content
- Inbound message from popular service via newly observed distribution list
- Investor solicitation with organization targeting
- Link: Apple TestFlight from suspicious sender
- Link: Credential phishing traversing Russian infrastructure
- Link: Credential phishing via WordPress
- Link: Executable file download with suspicious message content
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: Free file hosting with undisclosed recipients
- Link: Free subdomain host with undisclosed recipients
- Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
- Link: Multistage landing - Abused Adobe Acrobat hosted PDF
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - Published Google Doc
- Link: Non-standard port 8443 in display URL
- Link: Referrer anonymization service from untrusted sender
- Link: Romance/Sexual Language With Suspicious Link
- Link: SharePoint files shared from GoDaddy federated tenants
- Link: SharePoint OneNote or PDF link with self sender behavior
- Link: Squarespace infrastructure abuse
- Link: Suspicious Sharepoint folder share
- Link: Uncommon SharePoint document type with sender's display name
- Mass campaign: Cross Site Scripting (XSS) attempt
- Message traversed multiple onmicrosoft.com tenants
- Microsoft infrastructure abuse with suspicious patterns
- Newly registered sender or reply-to domain with newly registered linked domain
- Open redirect (go2.aspx) leading to Microsoft credential phishing
- Open redirect: bubblelife.com
- Open redirect: convertcart.com
- Open redirect: embluemail.com
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: magic4media.com
- Open redirect: pmifunds.com
- Open redirect: predictiveresponse.net
- Open redirect: qrxtech.com
- Open redirect: secondstreetapp.com
- Open redirect: Signature Travel Network
- Open redirect: smartadserver.com
- Open redirect: tuttocauzioni.it
- Open redirect: weblinkconnect.com
- PHP Mailer with common phishing attachments
- QR Code with suspicious indicators
- Reconnaissance: Empty subject with mismatched reply-to from new sender
- Reconnaissance: Hotel booking reply-to redirect
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Salesforce infrastructure abuse
- Scam: Fake estate sale offering welding equipment and tools
- Scam: Piano giveaway
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service abuse: Cisco secure email service with financial request
- Service abuse: DocSend share from newly registered domain
- Service abuse: DocuSign notification with suspicious sender or document name
- Service abuse: DocuSign share from an unsolicited reply-to address
- Service abuse: Dropbox share from new domain
- Service abuse: Dropbox share with suspicious sender or document name
- Service Abuse: ExactTarget with suspicious sender indicators
- Service abuse: Free provider with SendGrid routing
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service abuse: Google Drive share from an unsolicited reply-to address
- Service abuse: Google Drive share from new reply-to domain
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: HelloSign from an unsolicited sender address
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: QuickBooks notification from new domain
- Service abuse: Sendgrid credential theft with personalized request targeting single recipient
- Service abuse: SendGrid impersonation via Sendgrid from new sender
- Service abuse: SendThisFile with credential theft and financial language
- Service abuse: SurveyMonkey survey from newly registered domain
- Service abuse: Trello board invitation with VIP impersonation
- SharePoint OTP for filename matching org name
- Spam/fraud: Predatory journal/research paper request
- Spam: BlackBaud infrastructure abuse
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake dating profile notification
- Spam: Fake photo share
- Spam: Personalized subject and greetings via Salesforce Marketing Cloud
- Spam: Sendersrv.com with financial communications and unsubscribe language
- Spam: Sexually explicit Google Drive share
- Spam: Sexually explicit Looker Studio report
- Spam: Single recipient duplicated in cc
- SPF temp error
- Spoofable internal domain with suspicious signals
- Suspected cross-site scripting (XSS) found in subject
- Suspicious DocuSign share from new domain
- Suspicious mailer received from Gmail servers
- Suspicious newly registered reply-to domain with engaging financial or urgent language
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious SharePoint file sharing
- Vendor compromise: GovDelivery message with suspicious link
- VIP / Executive impersonation (strict match, untrusted)
- VIP Impersonation via Google Group relay with suspicious indicators
- VIP impersonation with BEC language (near match, untrusted sender)
- VIP impersonation with charitable donation fraud
- VIP impersonation with invoicing request
- VIP impersonation with urgent request (strict match, untrusted sender)
- VIP impersonation with w2 request with reply-to mismatch
- VIP impersonation: Fake thread with display name match, email mismatch
- Xero infrastructure abuse