Detection rules › By event

Sublime-Message-headers Event ID 7000012

73 detection rules reference this event. View event page.

Sublime MQL (73)

Advance Fee Fraud (AFF) from freemail provider or suspicious TLD severity medium
Attachment: EML with link to credential phishing page severity high
Attachment: Office document with VSTO add-in severity high
Attachment: PDF with credential theft language and invalid reply-to domain severity medium
BEC with unusual reply-to or return-path mismatch severity high
BEC/Fraud: Generic scam attempt to undisclosed recipients severity low
BEC/Fraud: Penpal scam severity medium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns severity medium
Brand impersonation: Aramco severity medium
Brand impersonation: Google Workspace alert notification severity medium
Brand impersonation: LinkedIn severity medium
Brand impersonation: Meta and subsidiaries severity medium
Brand impersonation: Microsoft fake sign-in alert severity medium
Brand impersonation: Norton severity low
Brand impersonation: QuickBooks notification from Intuit themed company name severity medium
Business Email Compromise (BEC) attempt from unsolicited sender severity medium
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited) severity medium
Callback phishing via e-signature service severity high
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old severity medium
COVID-19 themed fraud with sender and reply-to mismatch or compensation award severity medium
Cyrillic vowel substitution in subject or display name from unknown sender severity medium
Cyrillic vowel substitutions with suspicious subject from unknown sender severity medium
Domain impersonation: Freemail reply-to local lookalike with financial request severity medium
Fake message thread - Untrusted sender with a mismatched freemail reply-to address severity medium
Fake request for tax preparation severity high
Fraudulent order confirmation/shipping notification from Chinese sender domain severity medium
Free email provider sender with mismatched provider reply-to severity medium
Generic service abuse from newly registered domain severity high
Google share notification with suspicious comments severity high
Headers: Invalid recipient domain with mismatched reply-to from new sender severity medium
Headers: X-Source-Auth mismatch with mismatched reply-to domain severity high
Honorific greeting BEC attempt with sender and reply-to mismatch severity low
HR impersonation via e-sign agreement comment severity high
Impersonation: Suspected supplier impersonation with suspicious content severity high
Inbound message from popular service via newly observed distribution list severity medium
Investor solicitation with organization targeting severity medium
Link: File sharing impersonation with suspicious language and sending patterns severity medium
Link: Multistage landing - Abused Google Drive severity high
Link: Multistage landing - Published Google Doc severity high
Link: Romance/Sexual Language With Suspicious Link severity low
Newly registered sender or reply-to domain with newly registered linked domain severity medium
Reconnaissance: Empty subject with mismatched reply-to from new sender severity medium
Reconnaissance: Hotel booking reply-to redirect severity medium
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern severity medium
Scam: Fake estate sale offering welding equipment and tools severity high
Scam: Piano giveaway severity medium
Service abuse: AppSheet infrastructure with suspicious indicators severity medium
Service abuse: Cisco secure email service with financial request severity high
Service abuse: DocSend share from newly registered domain severity high
Service abuse: DocuSign notification with suspicious sender or document name severity medium
Service abuse: DocuSign share from an unsolicited reply-to address severity medium
Service abuse: Dropbox share from new domain severity medium
Service abuse: Dropbox share with suspicious sender or document name severity medium
Service abuse: GitHub notification with excessive mentions and suspicious links severity high
Service abuse: Google Drive share from an unsolicited reply-to address severity medium
Service abuse: Google Drive share from new reply-to domain severity medium
Service abuse: Google Firebase sender address with suspicious content severity low
Service abuse: QuickBooks notification from new domain severity medium
Service abuse: SurveyMonkey survey from newly registered domain severity high
Service Abuse: Zoom with freemail reply-to and recipient address in greeting severity medium
Service abuse: Zoom with newly registered reply-to domain severity medium
Spam: Sexually explicit Google Drive share severity low
Spam: Sexually explicit Looker Studio report severity low
Suspicious DocuSign share from new domain severity high
Suspicious newly registered reply-to domain with engaging financial or urgent language severity medium
Suspicious request for financial information severity high
Suspicious SharePoint file sharing severity medium
VIP / Executive impersonation (strict match, untrusted) severity high
VIP Impersonation via Google Group relay with suspicious indicators severity high
VIP impersonation with BEC language (near match, untrusted sender) severity medium
VIP impersonation with invoicing request severity high
VIP impersonation with urgent request (strict match, untrusted sender) severity high
VIP impersonation with w2 request with reply-to mismatch severity high

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-headers Event ID 7000012

Sublime MQL (73)

Keyboard shortcuts

Search operators