Detection rules › By event
Sublime-Message-sender Event ID 7000023
Sublime MQL (208)
- Attachment with VBA macros from employee impersonation (unsolicited)
- Attachment: EML with link to credential phishing page
- Attachment: Legal themed message or PDF with suspicious indicators
- Attachment: PDF bid/proposal lure with credential theft indicators
- Attachment: QR code link with base64-encoded recipient address
- BEC with unusual reply-to or return-path mismatch
- BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
- BEC/Fraud: Romance scam
- BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
- Benefits enrollment impersonation
- Brand impersonation: AARP
- Brand impersonation: Adobe (QR code)
- Brand impersonation: ADP
- Brand impersonation: Amazon
- Brand impersonation: Amazon Web Services (AWS)
- Brand impersonation: Amazon with suspicious attachment
- Brand impersonation: American Express (AMEX)
- Brand impersonation: Apple
- Brand impersonation: Aquent
- Brand impersonation: Aramco
- Brand impersonation: AuthentiSign
- Brand impersonation: Bank of America
- Brand impersonation: Barracuda Networks
- Brand impersonation: Binance
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Canada Revenue Agency
- Brand impersonation: Capital One
- Brand impersonation: Charles Schwab
- Brand impersonation: Chase Bank
- Brand impersonation: Coinbase
- Brand impersonation: Dashlane
- Brand impersonation: DHL
- Brand impersonation: DigitalOcean
- Brand impersonation: Discord notification
- Brand Impersonation: Disney
- Brand impersonation: DocSend
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: DoorDash
- Brand impersonation: Dotloop
- Brand impersonation: Dropbox
- Brand impersonation: Enbridge
- Brand impersonation: Exodus
- Brand impersonation: Fake Fax
- Brand impersonation: Fastway
- Brand impersonation: FedEx
- Brand impersonation: FINRA
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Github
- Brand impersonation: GoDaddy
- Brand Impersonation: Google (QR Code)
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Gusto
- Brand impersonation: Hulu
- Brand impersonation: Interac
- Brand impersonation: Internal Revenue Service
- Brand impersonation: KnowBe4
- Brand impersonation: LastPass
- Brand impersonation: Ledger
- Brand impersonation: LinkedIn
- Brand impersonation: Mailchimp
- Brand impersonation: Mailgun
- Brand impersonation: Marriott with gift language
- Brand impersonation: McAfee
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: MetaMask
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Morgan Stanley
- Brand impersonation: Navan
- Brand impersonation: Netflix
- Brand impersonation: Okta
- Brand impersonation: OpenAI with payment issues
- Brand Impersonation: PayPal
- Brand impersonation: PNC
- Brand Impersonation: Procore
- Brand impersonation: Quickbooks
- Brand impersonation: QuickBooks dispute notification
- Brand impersonation: Ripple
- Brand impersonation: Robert Half
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint fake file share
- Brand Impersonation: Shein
- Brand impersonation: Silicon Valley Bank
- Brand impersonation: SiriusXM
- Brand impersonation: Social Security Administration
- Brand impersonation: Spotify
- Brand impersonation: Square
- Brand impersonation: Squarespace
- Brand impersonation: State Farm
- Brand impersonation: Stellar Development Foundation (SDF)
- Brand Impersonation: Stripe
- Brand impersonation: Stripe notification
- Brand impersonation: Sublime Security
- Brand impersonation: TikTok
- Brand impersonation: Toronto-Dominion Bank
- Brand impersonation: Trust Wallet
- Brand impersonation: TurboTax
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: ukr[.]net
- Brand impersonation: United Healthcare
- Brand impersonation: UPS
- Brand impersonation: USPS
- Brand impersonation: Vanguard
- Brand impersonation: Vanta
- Brand impersonation: Venmo
- Brand impersonation: Wells Fargo
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Wix
- Brand impersonation: Zoom (strict)
- Business Email Compromise (BEC) attempt from unsolicited sender
- Business Email Compromise (BEC) with request for mobile number
- Business Email Compromise: Request for mobile number via reply thread hijacking
- Callback Phishing via Zoom comment
- Cloud storage impersonation with credential theft indicators
- Commonly abused sender TLD with engaging language
- Credential phishing content and link (untrusted sender)
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Onedrive impersonation
- Credential phishing: Suspicious e-sign agreement document notification
- Cyrillic vowel substitution in subject or display name from unknown sender
- Cyrillic vowel substitutions with suspicious subject from unknown sender
- Display name and subject impersonation using recipient SLD (new sender)
- Display Name Emoji with Financial Symbols
- Display name impersonation using recipient SLD
- DocuSign impersonation via CloudHQ links
- DocuSign impersonation via spoofed Intuit sender
- Employee impersonation with urgent request (untrusted sender)
- Employee impersonation: Payroll fraud
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Google presentation open redirect phishing
- Google share notification with suspicious comments
- Headers: System account impersonation with empty sender address
- HTML smuggling containing recipient email address
- Impersonation using recipient domain (untrusted sender)
- Impersonation: Chrome Web Store policy
- Impersonation: Employee using fabricated identity in initial contact
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Legal firm with copyright infringement notice
- Impersonation: Recipient organization in sender display name with credential theft image
- Impersonation: Salesforce fake campaign failure notification
- Link to Google Apps Script macro via comment tagging
- Link: Adobe share from unsolicited sender
- Link: Adobe share with suspicious indicators
- Link: HR impersonation with suspicious domain indicators and credential theft
- Link: Job recruitment lure from unsolicited sender with suspicious hosting
- Link: Microsoft impersonation using hosted png with suspicious link
- Link: Multistage landing - Abused Google Drive
- Link: Uncommon SharePoint document type with sender's display name
- QR Code with suspicious indicators
- Reconnaissance: Short generic greeting message
- Self-sender with copy/paste instructions and suspicious domains (French/Français)
- Sender name contains Active Directory distinguished name
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service abuse: DocuSign notification with suspicious sender or document name
- Service Abuse: ExactTarget with suspicious sender indicators
- Service abuse: File sharing impersonation with external SharePoint links
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: GoDaddy infrastructure
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: SendGrid impersonation via Sendgrid from new sender
- Service abuse: Substack credential theft with confusable characters and branded button redirects
- Service abuse: Suspicious Zoom Docs link
- Sharepoint online with external recipients and external display name
- Spam: Attendee list solicitation
- Spam: Commonly observed formatting of unauthorized free giveaways
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake photo share
- Spoofable internal domain with suspicious signals
- Subject and sender display name contains matching long alphanumeric string
- Suspected cross-site scripting (XSS) found in subject
- Suspicious attachment with unscannable Cloudflare link
- Suspicious display name: Gmail sender with engaging language
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious request for financial information
- Suspicious sender display name with long procedurally generated text blob
- Suspicious subject with long procedurally generated text blob
- Vendor impersonation: Thread hijacking with typosquat domain
- VIP / Executive impersonation (strict match, untrusted)
- VIP / Executive impersonation in subject (untrusted)
- VIP Impersonation via Google Group relay with suspicious indicators
- VIP impersonation with BEC language (near match, untrusted sender)
- VIP impersonation with invoicing request
- VIP impersonation with urgent request (strict match, untrusted sender)
- VIP impersonation with w2 request with reply-to mismatch
- VIP local_part impersonation from unsolicited sender
- X (Twitter) impersonation with credential phishing motives
- Xero infrastructure abuse
- Xero invoice abuse