Detection rules › By event

Sublime-Message-headers Event ID 7000011

90 detection rules reference this event. View event page.

Sublime MQL (90)

AnonymousFox indicators severity high
Attachment: Adobe image lure in body or attachment with suspicious link severity medium
Attachment: Calendar invite with suspicious link leading to an open redirect severity high
Attachment: Callback phishing solicitation via text-based file severity medium
Attachment: DocuSign impersonation via PDF linking to new domain severity medium
Attachment: EML file contains HTML attachment with login portal indicators severity high
Attachment: Fake secure message and suspicious indicators severity medium
Attachment: Microsoft 365 credential phishing severity high
Attachment: Microsoft impersonation via PDF with link and suspicious language severity high
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender severity medium
BEC with unusual reply-to or return-path mismatch severity high
Benefits enrollment impersonation severity high
Brand impersonation: Adobe (QR code) severity high
Brand impersonation: Adobe Sign with suspicious indicators severity high
Brand impersonation: Amazon severity low
Brand impersonation: Booking.com severity medium
Brand impersonation: Capital One severity high
Brand impersonation: Cloud services with credential theft intent severity medium
Brand impersonation: DocuSign severity high
Brand impersonation: DocuSign branded attachment lure with no DocuSign links severity high
Brand impersonation: Dropbox severity medium
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains severity medium
Brand impersonation: Github severity high
Brand Impersonation: Google (QR Code) severity high
Brand impersonation: Google Workspace alert notification severity medium
Brand impersonation: Internal Revenue Service severity high
Brand impersonation: Mailgun severity medium
Brand impersonation: Microsoft (QR code) severity high
Brand impersonation: Microsoft fake sign-in alert severity medium
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification severity high
Brand impersonation: Microsoft with embedded logo and credential theft language severity high
Brand impersonation: Morgan Stanley severity medium
Brand Impersonation: ShareFile severity medium
Brand impersonation: Sharepoint severity high
Brand impersonation: SharePoint PDF attachment with credential theft language severity medium
Brand Impersonation: Stripe severity high
Brand impersonation: TikTok severity medium
ClickFunnels link infrastructure abuse severity high
Constant Contact link infrastructure abuse severity high
Credential phishing content and link (untrusted sender) severity high
Credential phishing language and suspicious indicators (unknown sender) severity medium
Credential phishing: 'Secure message' and engaging language severity medium
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links severity high
Credential phishing: Fake password expiration from new and unsolicited sender severity medium
Credential phishing: Hyper-linked image leading to free file host severity medium
Credential phishing: Onedrive impersonation severity high
Credential phishing: Suspicious e-sign agreement document notification severity medium
Employee impersonation: Payroll fraud severity high
Encrypted Microsoft Office files from untrusted sender severity medium
Extortion / sextortion (untrusted sender) severity low
Extortion / sextortion in attachment from untrusted sender severity low
Fake message thread - Untrusted sender with a mismatched freemail reply-to address severity medium
Fake thread with suspicious indicators severity medium
Fake voicemail notification (untrusted sender) severity medium
Free email provider sender with mismatched provider reply-to severity medium
Headers: Self-sender using Microsoft CompAuth bypass with credential theft content severity high
Headers: X-Source-Auth mismatch with mismatched reply-to domain severity high
HTML smuggling containing recipient email address severity medium
Impersonation: Human Resources with link or attachment and engaging language severity medium
Impersonation: Internal corporate services severity high
Inbound message from popular service via newly observed distribution list severity medium
Link: Credential phishing traversing Russian infrastructure severity high
Link: File sharing impersonation with suspicious language and sending patterns severity medium
Link: Free file hosting with undisclosed recipients severity medium
Link: Free subdomain host with undisclosed recipients severity medium
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender severity high
Link: Uncommon SharePoint document type with sender's display name severity medium
Mass campaign: Cross Site Scripting (XSS) attempt severity medium
Message traversed multiple onmicrosoft.com tenants severity medium
Microsoft infrastructure abuse with suspicious patterns severity high
Open redirect: predictiveresponse.net severity medium
Salesforce infrastructure abuse severity medium
Service abuse: HelloSign from an unsolicited sender address severity low
Service Abuse: HelloSign share with suspicious sender or document name severity medium
Service abuse: Monday.com infrastructure with phishing intent severity high
Service abuse: Trello board invitation with VIP impersonation severity medium
SharePoint OTP for filename matching org name severity medium
Spam/fraud: Predatory journal/research paper request severity medium
Spam: BlackBaud infrastructure abuse severity medium
Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com) severity low
Spam: Fake photo share severity low
Spam: Personalized subject and greetings via Salesforce Marketing Cloud severity low
Spam: Single recipient duplicated in cc severity medium
SPF temp error severity medium
Spoofable internal domain with suspicious signals severity medium
Suspected cross-site scripting (XSS) found in subject severity medium
Suspicious mailer received from Gmail servers severity low
Suspicious recipients pattern with no Compauth pass and suspicious content severity medium
VIP Impersonation via Google Group relay with suspicious indicators severity high
Xero infrastructure abuse severity medium

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-headers Event ID 7000011

Sublime MQL (90)

Keyboard shortcuts

Search operators