Detection rules › By event
Sublime-Message-headers Event ID 7000009
Sublime MQL (435)
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Any .sap file (unsolicited)
- Attachment: Any HTML file (unsolicited)
- Attachment: Any HTML file (untrusted sender)
- Attachment: Compensation review lure with QR code
- Attachment: Compensation-themed DOCX with QR code credential theft
- Attachment: DocuSign impersonation via PDF linking to new domain
- Attachment: EML file with HTML attachment (unsolicited)
- Attachment: EML with Sharepoint link likely unrelated to sender
- Attachment: EML with suspicious indicators
- Attachment: Encrypted PDF with credential theft body
- Attachment: Fake attachment image lure
- Attachment: Fake secure message and suspicious indicators
- Attachment: Fake voicemail via PDF
- Attachment: HTML attachment with login portal indicators
- Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
- Attachment: HTML smuggling - QR Code with suspicious links
- Attachment: HTML smuggling with atob and high entropy
- Attachment: HTML smuggling with atob and high entropy via calendar invite
- Attachment: HTML smuggling with decimal encoding
- Attachment: HTML with emoji-to-character map
- Attachment: HTML with hidden body
- Attachment: HTML with JavaScript functions for HTTP requests
- Attachment: ICS calendar with embedded file from internal sender with SPF failure
- Attachment: Invoice and W-9 PDFs with suspicious creators
- Attachment: Microsoft 365 credential phishing
- Attachment: Microsoft impersonation via PDF with link and suspicious language
- Attachment: PDF proposal with credential theft indicators
- Attachment: PDF with credential theft language and invalid reply-to domain
- Attachment: PDF with Microsoft Purview message impersonation
- Attachment: PDF with suspicious HeadlessChrome metadata
- Attachment: QR code with credential phishing indicators
- Attachment: Suspicious employee policy update document lure
- BEC with unusual reply-to or return-path mismatch
- BEC/Fraud: Generic scam attempt to undisclosed recipients
- BEC/Fraud: Penpal scam
- Benefits enrollment impersonation
- Body HTML: Recipient SLD in HTML class
- Body: Embedded email headers indicative of thread hijacking/abuse
- Body: HTML whitespace stuffing with short initial message
- Brand impersonation: AARP
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: AliExpress
- Brand impersonation: Amazon
- Brand impersonation: Amazon Web Services (AWS)
- Brand impersonation: American Express (AMEX)
- Brand impersonation: Aquent
- Brand impersonation: Aramco
- Brand impersonation: AuthentiSign
- Brand impersonation: Automobile assistance associations
- Brand impersonation: Bank of America
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Box file sharing service
- Brand impersonation: Canada Revenue Agency
- Brand impersonation: Capital One
- Brand impersonation: Charles Schwab
- Brand impersonation: Chase Bank
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: Coinbase
- Brand impersonation: Dashlane
- Brand impersonation: DHL
- Brand impersonation: Discord notification
- Brand Impersonation: Disney
- Brand impersonation: DocSend
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign (QR code)
- Brand impersonation: DocuSign with embedded QR code
- Brand impersonation: DoorDash
- Brand impersonation: Dotloop
- Brand impersonation: Dropbox
- Brand impersonation: Evite
- Brand impersonation: Fake Fax
- Brand impersonation: Fastway
- Brand impersonation: FedEx
- Brand impersonation: File sharing notification with template artifacts
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Github
- Brand impersonation: GoDaddy
- Brand impersonation: Google Careers
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Gusto
- Brand impersonation: Hulu
- Brand impersonation: Interac
- Brand impersonation: Internal Revenue Service
- Brand impersonation: KnowBe4
- Brand impersonation: LastPass
- Brand impersonation: Ledger
- Brand impersonation: Mailchimp
- Brand impersonation: Mailgun
- Brand impersonation: Marriott with gift language
- Brand impersonation: McAfee
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: MetaMask
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft quarantine release notification in body
- Brand impersonation: Microsoft quarantine release notification in image attachment
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Morgan Stanley
- Brand impersonation: Navan
- Brand impersonation: Netflix
- Brand impersonation: Office 365 mail service
- Brand impersonation: Okta
- Brand impersonation: OpenAI with payment issues
- Brand impersonation: Paperless Post
- Brand Impersonation: PayPal
- Brand impersonation: PNC
- Brand Impersonation: Procore
- Brand impersonation: Purdue ePlanroom with suspicious links
- Brand impersonation: Quickbooks
- Brand impersonation: QuickBooks dispute notification
- Brand impersonation: QuickBooks notification from Intuit themed company name
- Brand impersonation: Robert Half
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand Impersonation: Shein
- Brand impersonation: SiriusXM
- Brand impersonation: Social Security Administration
- Brand impersonation: Spotify
- Brand impersonation: Square
- Brand impersonation: Squarespace
- Brand impersonation: State Farm
- Brand Impersonation: Stripe
- Brand impersonation: Stripe notification
- Brand impersonation: Sublime Security
- Brand impersonation: Survey request with credential theft indicators
- Brand impersonation: TikTok
- Brand impersonation: Toronto-Dominion Bank
- Brand impersonation: Trust Wallet
- Brand impersonation: TurboTax
- Brand impersonation: UK government Home Office
- Brand impersonation: United Healthcare
- Brand impersonation: UPS
- Brand impersonation: USPS
- Brand impersonation: Vanguard
- Brand impersonation: Vanta
- Brand impersonation: Venmo
- Brand impersonation: Wells Fargo
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Wix
- Brand impersonation: Xodo Sign
- Brand impersonation: Zoom
- Brand spoof: Dropbox
- Business Email Compromise (BEC) attempt from unsolicited sender
- Business Email Compromise (BEC) attempt from untrusted sender
- Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
- Business Email Compromise: Request for mobile number via reply thread hijacking
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing solicitation in message body
- Callback phishing via Adobe Sign comment
- Callback phishing via calendar invite
- Callback phishing via DocuSign comment
- Callback phishing via e-signature service
- Callback phishing via extensionless rfc822 attachment
- Callback phishing via Google Group abuse
- Callback phishing via Intuit service abuse
- Callback Phishing via Signable E-Signature Request
- Callback phishing via SignFree e-signature request
- Callback phishing via Xodo Sign comment
- Callback phishing via Zoho service abuse
- Callback Phishing via Zoom comment
- Catbox.moe link from untrusted source
- Cloud storage impersonation with credential theft indicators
- Commonly abused sender TLD with engaging language
- Compensation review with QR code in attached EML
- Constant Contact link infrastructure abuse
- COVID-19 themed fraud with sender and reply-to mismatch or compensation award
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing link (unknown sender)
- Credential Phishing via Dropbox comment abuse
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake card notification with tracking lure
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Generic document share template
- Credential phishing: Generic document sharing
- Credential phishing: Onedrive impersonation
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential phishing: Suspicious subject with urgent financial request and link
- Credential phishing: Tax form impersonation with payment request
- Display name and subject impersonation using recipient SLD (new sender)
- Display Name Emoji with Financial Symbols
- Display name impersonation using recipient SLD
- DocuSign impersonation via spoofed Intuit sender
- EML attachment with credential theft language (unknown sender)
- Employee impersonation with urgent request (untrusted sender)
- Extortion / sextortion (untrusted sender)
- Fake email quarantine notification
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoom meeting invite with suspicious link
- File sharing link with a suspicious subject
- Free subdomain link with login or captcha (untrusted sender)
- Google Drive direct download link from unsolicited sender
- Google Notification alert link from non-Google sender
- Google presentation open redirect phishing
- Google services using g.co shortlinks
- Google share notification with suspicious comments
- Hardbacon infrastructure abuse
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Honorific greeting BEC attempt with sender and reply-to mismatch
- HR impersonation via e-sign agreement comment
- HTML smuggling containing recipient email address
- Image as content with a link to an open redirect
- Impersonation using recipient domain (untrusted sender)
- Impersonation: Chrome Web Store policy
- Impersonation: Fake Gmail attachment
- Impersonation: Fake product discount promotion
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Inbound message from popular service via newly observed distribution list
- Job scam (unsolicited sender)
- Job scam with specific salary pattern
- Link to auto-downloaded DMG in archive
- Link to auto-downloaded DMG in encrypted zip
- Link: .onion From Unsolicited Sender
- Link: Adobe share from unsolicited sender
- Link: Adobe share with suspicious indicators
- Link: BEC with newly registered domains and financial keywords
- Link: Common hidden directory observed
- Link: Credential phishing link with undisclosed recipients
- Link: Cryptocurrency fraud with suspicious links
- Link: Direct link to limewire hosted file
- Link: Direct link to riddle.com hosted showcase
- Link: Direct link to Zoom Docs from non-Zoom sender
- Link: Executable file download with suspicious message content
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: Financial account issue with suspicious indicators
- Link: Flagged bit.ly link
- Link: Free file hosting with undisclosed recipients
- Link: GoPhish query param values
- Link: Hotel booking spoofed display URL
- Link: IPFS
- Link: Jensi file preview link from unsolicited sender
- Link: Microsoft Dynamics 365 form phishing
- Link: Multistage landing - Abused Docusign
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - Ludus presentation
- Link: Multistage landing - Scribd document
- Link: Non-standard port 8443 in display URL
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QR code with phishing disposition in img or pdf
- Link: QR Code with suspicious language (untrusted sender)
- Link: QuickBooks image lure with suspicious link
- Link: Recipient domain in URL path
- Link: Referrer anonymization service from untrusted sender
- Link: Suspicious Sharepoint folder share
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: Webflow link from unsolicited sender
- Link: Zoho form link from unsolicited sender
- Lookalike sender domain (untrusted sender)
- macOS malware: Compiled AppleScript with document double-extension
- Malware: Pikabot delivery via URL auto-download
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Open redirect: adnxs.com
- Open redirect: agena-smile.com
- Open redirect: amaterasu-for-website-5.com
- Open redirect: api.spently.com
- Open redirect: Artisteer
- Open redirect: artkaderne
- Open Redirect: asemailmgmteu.com
- Open redirect: astroarts.co.jp
- Open redirect: bananaguide.com
- Open redirect: bangkoksync.com
- Open redirect: bestdeals.today
- Open redirect: Bitrix24 URL Path
- Open redirect: bubblelife.com
- Open redirect: buildingengines.com
- Open redirect: business.google.com website_shared URL Param
- Open redirect: chkc.com.hk
- Open redirect: City of Calgary
- Open redirect: Club-OS
- Open redirect: convertcart.com
- Open redirect: Dell
- Open redirect: designsori.com
- Open redirect: documentmailbox.com
- Open redirect: eaoko.org
- Open redirect: easycamp.com
- Open redirect: embluemail.com
- Open redirect: emlakarsa
- Open redirect: emp.eduyield.com
- Open redirect: eodcnetworkdirect.com
- Open redirect: events.csiro.au
- Open redirect: ExacTag
- Open redirect: fenc.com
- Open redirect: g7.fr
- Open redirect: giving.lluh.org
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: ijf.org
- Open redirect: Indeed
- Open redirect: IndiaTimes
- Open redirect: isadatalab.com
- Open redirect: k-mil.net
- Open redirect: labcluster.com
- Open redirect: LearningApps
- Open redirect: LinkedIn Redirect
- Open redirect: listing.ca
- Open redirect: magic4media.com
- Open redirect: magiccity.ne.jp
- Open redirect: magneticmarketing.com
- Open redirect: mail.spiceworks.com
- Open redirect: marketing.edinburghairport.com
- Open redirect: Medium
- Open redirect: mindmixer.com
- Open redirect: museepicassoparis.fr
- Open redirect: Newegg
- Open redirect: next2.io
- Open redirect: nowlifestyle.com
- Open redirect: obunsha.co.jp
- Open redirect: people.anuneo.com
- Open redirect: phoenixartstudio.net
- Open redirect: PIRL San Diego
- Open redirect: plasticsurgery.or.kr
- Open redirect: pmifunds.com
- Open redirect: predictiveresponse.net
- Open redirect: PremierBet
- Open redirect: qrxtech.com
- Open redirect: queue.swytchbike.com
- Open redirect: radiopublic.com
- Open redirect: retailrocket.net
- Open redirect: ringaraja.net
- Open redirect: sciencebuddies.org
- Open redirect: secondstreetapp.com
- Open redirect: shoppermeet.net
- Open redirect: shoppingwebapi.didatravel.com
- Open redirect: Signature Travel Network
- Open redirect: slubnaglowie.pl
- Open redirect: smartadserver.com
- Open redirect: smore.com
- Open redirect: social.bigpress.net
- Open redirect: ssg-financial.com
- Open redirect: stats.lib.pdx.edu
- Open redirect: storematch.jp
- Open redirect: Ticketmaster
- Open redirect: TikTok
- Open redirect: tkqlhce.com
- Open redirect: tuttocauzioni.it
- Open redirect: typedrawers.com
- Open redirect: unitedwaynwvt.org
- Open redirect: ust.hk
- Open redirect: vconfex.com
- Open redirect: weblinkconnect.com
- Open redirect: whitefox.pl
- Open redirect: Xfinity CMP Redirection to Google AMP
- Open redirect: xfinity.com
- Open redirect: YouTube
- Potential prompt injection attack in body HTML
- QR code to auto-download of a suspicious file type (unsolicited)
- QR Code with suspicious indicators
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Large unknown recipient list
- Reconnaissance: Short generic greeting message
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Salesforce infrastructure abuse
- Scam soliciting employer review/rating
- Scam: Piano giveaway
- Sender name contains Active Directory distinguished name
- Service abuse: Adobe Creative Cloud share from an unsolicited sender address
- Service abuse: Adobe Sign notification from an unsolicited reply-to address
- Service abuse: Behance document sharing with suspicious language
- Service abuse: DocSend share from newly registered domain
- Service abuse: DocuSign notification with suspicious sender or document name
- Service abuse: DocuSign share from an unsolicited reply-to address
- Service abuse: Dropbox share from an unsolicited reply-to address
- Service abuse: Dropbox share from new domain
- Service abuse: Dropbox share with suspicious sender or document name
- Service Abuse: GoDaddy infrastructure
- Service abuse: Google application integration redirecting to suspicious hosts
- Service abuse: HelloSign from an unsolicited sender address
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: Meetup.com redirect with brand impersonation
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: QuickBooks notification from new domain
- Service abuse: SendGrid impersonation via Sendgrid from new sender
- Service abuse: SurveyMonkey survey from newly registered domain
- Service abuse: Task management message sent via SendGrid
- Sharepoint link likely unrelated to sender
- Spam/fraud: Predatory journal/research paper request
- Spam: Cryptocurrency airdrop/giveaway
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake photo share
- Spam: Firebase password reset from suspicious sender
- Spam: Ghostwriting services scam with manipulative language
- Spam: Item giveaway spam template
- Spam: Mastercard promotional content with image-based body
- Spam: Single recipient duplicated in cc
- Spam: Unsolicited WordPress account creation or password reset request
- Stripe invoice abuse
- Suspicious attachment with unscannable Cloudflare link
- Suspicious DocuSign share from new domain
- Suspicious invoice reference with missing or image-only attachments
- Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
- Suspicious Links to Cloudflare R2 and Edge Services
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious newly registered reply-to domain with engaging financial or urgent language
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious sender display name with long procedurally generated text blob
- Suspicious subject with long procedurally generated text blob
- Truth Social infrastructure abuse via link redirect
- Twitter infrastructure abuse via link shortener
- Unusually long local part from untrusted sender address
- Vendor compromise: GovDelivery message with suspicious link
- VIP / Executive impersonation (strict match, untrusted)
- VIP / Executive impersonation in subject (untrusted)
- VIP Impersonation via Google Group relay with suspicious indicators
- VIP impersonation with BEC language (near match, untrusted sender)
- VIP impersonation with invoicing request
- VIP impersonation with urgent request (strict match, untrusted sender)
- VIP impersonation with w2 request with reply-to mismatch
- VIP local_part impersonation from unsolicited sender
- X (Twitter) impersonation with credential phishing motives
- Zoom Events newsletter abuse