Detection rules › By event
Sublime-Message-recipients Event ID 7000019
Sublime MQL (163)
- Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Callback phishing solicitation via image file
- Attachment: Callback phishing solicitation via pdf file
- Attachment: Compensation review lure with QR code
- Attachment: Compensation-themed DOCX with QR code credential theft
- Attachment: EML with link to credential phishing page
- Attachment: EML with QR code redirecting to Cloudflare challenges
- Attachment: EML with suspicious indicators
- Attachment: Encrypted PDF with credential theft body
- Attachment: HTML file with reference to recipient and suspicious patterns
- Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
- Attachment: HTML with obfuscation and recipient's email in JavaScript strings
- Attachment: PDF with credential theft language and invalid reply-to domain
- Attachment: PDF with QR code containing recipient-specific credential theft content
- Attachment: PDF with recipient email in link
- Attachment: PDF with self-service platform links with self sender or blank recipients
- Attachment: QR code link with base64-encoded recipient address
- Attachment: QR code with credential phishing indicators
- Attachment: QR code with encoded recipient targeting and redirect indicators
- Attachment: QR code with recipient targeting and special characters
- Attachment: QR code with suspicious URL patterns in EML file
- Attachment: QR code with userinfo portion
- Attachment: RTF file with suspicious link
- Attachment: Self-sender PDF with minimal content and view prompt
- Attachment: Small text file with link containing recipient email address
- Attachment: Suspicious employee policy update document lure
- Attachment: SVG files with evasion elements
- BEC/Fraud: Generic scam attempt to undisclosed recipients
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
- BEC/Fraud: Scam lure with freemail pivot
- BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
- Body HTML: Recipient SLD in HTML class
- Body: HTML whitespace stuffing with short initial message
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Bank of America
- Brand impersonation: File sharing notification with template artifacts
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Hulu
- Brand impersonation: LastPass
- Brand impersonation: Mailgun
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Netflix
- Brand impersonation: Norton
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: Zoom via lookalike domain
- Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
- Callback phishing solicitation in message body
- Callback phishing: AOL senders with suspicious HTML template or PDF attachment
- Commonly abused sender TLD with engaging language
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Generic document sharing
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential Phishing: Suspicious language, link, recipients and other indicators
- Deceptive Dropbox mention
- Display name and subject impersonation using recipient SLD (new sender)
- Display name impersonation using recipient SLD
- EML attachment with credential theft language (unknown sender)
- Fake email quarantine notification
- Fake shipping notification with suspicious language
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoho Sign template abuse
- Fake Zoom meeting invite with suspicious link
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Free subdomain link with credential theft indicators
- Google Accelerated Mobile Pages (AMP) abuse
- Headers: Invalid recipient domain with mismatched reply-to from new sender
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- HTML smuggling containing recipient email address
- Impersonation using recipient domain (untrusted sender)
- Impersonation: Legal firm with copyright infringement notice
- Impersonation: Recipient organization in sender display name with credential theft image
- Impersonation: SharePoint reply header anomaly
- Inbound message from popular service via newly observed distribution list
- Investor solicitation with organization targeting
- Invoicera infrastructure abuse
- Job scam (unsolicited sender)
- Link abuse: Self-service creation platform link with suspicious recipient behavior
- Link: Commonly Abused Web Service redirecting to ZIP file
- Link: Credential phishing link with undisclosed recipients
- Link: Credential theft with invisible Unicode character in page title from unsolicited sender
- Link: Display text matches subject line
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: Financial account issue with suspicious indicators
- Link: Free file hosting with undisclosed recipients
- Link: Free subdomain host with undisclosed recipients
- Link: IPFS
- Link: JavaScript obfuscation with Telegram bot integration
- Link: Mamba 2FA phishing kit
- Link: Microsoft device code authentication with suspicious indicators
- Link: Microsoft protected message with matching sender and recipient addresses
- Link: PDF filename impersonation with credential theft language
- Link: Personal SharePoint with invalid recipients and credential theft language
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QR Code with suspicious language (untrusted sender)
- Link: Recipient domain in URL path
- Link: Recipient email address in 'eta' parameter
- Link: Self-sender credential theft with configuration placeholder
- Link: Self-sender with sender org in subject and credential theft indicator
- Link: Self-sent message with quarterly document review request
- Link: Self-sent PDF lure with subject correlation
- Link: SharePoint OneNote or PDF link with self sender behavior
- Link: Single character path with credential theft body and self sender behavior or invalid recipient
- Link: Spam website with evasion indicators
- Link: Suspicious URL with recipient targeting and special characters
- Link: SVG with embedded recipient data
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: Tycoon2FA phishing kit (non-exhaustive)
- Link: Unsolicited email contains link leading to Tycoon URL structure
- Link: URL redirecting to blob URL
- Link: URL shortener with copy-paste instructions and credential theft language
- Mass campaign: Cross Site Scripting (XSS) attempt
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Message traversed multiple onmicrosoft.com tenants
- Microsoft infrastructure abuse with suspicious patterns
- QR Code with suspicious indicators
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Hotel booking reply-to redirect
- Reconnaissance: Large unknown recipient list
- Reconnaissance: Short generic greeting message
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Salesforce infrastructure abuse
- Scam: Fake estate sale offering welding equipment and tools
- Scam: Piano giveaway
- Self-sender with copy/paste instructions and suspicious domains (French/Français)
- Self-sent fake PDF attachment with misleading link
- Service abuse: Cisco secure email service with financial request
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: Nifty.com with impersonation
- Service abuse: Sendgrid credential theft with personalized request targeting single recipient
- Sharepoint file share with suspicious recipients pattern
- Sharepoint online with external recipients and external display name
- Spam/fraud: Predatory journal/research paper request
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake dating profile notification
- Spam: Link to blob.core.windows.net from new domain (<30d)
- Spam: New job cold outreach from unsolicited sender
- Spam: Single recipient duplicated in cc
- Spam: Unsolicited malformed PDF
- Spam: Unsolicited WordPress account creation or password reset request
- Suspicious recipient pattern and language with low reputation link to login
- Suspicious recipients pattern with NLU credential theft indicators
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious subject with long procedurally generated text blob
- Targeting: Specific AOL address
- VIP / Executive impersonation (strict match, untrusted)
- VIP / Executive impersonation in subject (untrusted)
- VIP local_part impersonation from unsolicited sender
- Xero infrastructure abuse