Detection rules › By event
Sublime-Message-sender Event ID 7000024
Sublime MQL (724)
- Abuse: Robinhood injected content
- Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
- AnonymousFox indicators
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Any .sap file (unsolicited)
- Attachment: Any HTML file (unsolicited)
- Attachment: Any HTML file (untrusted sender)
- Attachment: Calendar invite with suspicious link leading to an open redirect
- Attachment: Callback phishing solicitation via image file
- Attachment: Callback phishing solicitation via pdf file
- Attachment: Callback phishing solicitation via text-based file
- Attachment: Compensation review lure with QR code
- Attachment: Compensation-themed DOCX with QR code credential theft
- Attachment: DocuSign impersonation via PDF linking to new domain
- Attachment: EML containing a base64 encoded script
- Attachment: EML file contains HTML attachment with login portal indicators
- Attachment: EML file with HTML attachment (unsolicited)
- Attachment: EML with link to credential phishing page
- Attachment: EML with Sharepoint link likely unrelated to sender
- Attachment: EML with suspicious indicators
- Attachment: Encrypted PDF with credential theft body
- Attachment: Fake attachment image lure
- Attachment: Fake scan-to-email
- Attachment: Fake secure message and suspicious indicators
- Attachment: Fake voicemail via PDF
- Attachment: HTML attachment with login portal indicators
- Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
- Attachment: HTML smuggling - QR Code with suspicious links
- Attachment: HTML smuggling Microsoft sign in
- Attachment: HTML smuggling with atob and high entropy
- Attachment: HTML smuggling with atob and high entropy via calendar invite
- Attachment: HTML smuggling with decimal encoding
- Attachment: HTML with emoji-to-character map
- Attachment: HTML with hidden body
- Attachment: HTML with JavaScript functions for HTTP requests
- Attachment: ICS calendar with embedded file from internal sender with SPF failure
- Attachment: Invoice and W-9 PDFs with suspicious creators
- Attachment: Microsoft 365 credential phishing
- Attachment: Microsoft impersonation via PDF with link and suspicious language
- Attachment: PDF bid/proposal lure with credential theft indicators
- Attachment: PDF file with link to fake Bitcoin exchange
- Attachment: PDF proposal with credential theft indicators
- Attachment: PDF with credential theft language and invalid reply-to domain
- Attachment: PDF with Microsoft Purview message impersonation
- Attachment: PDF with personal Microsoft OneNote URL
- Attachment: PDF with self-service platform links with self sender or blank recipients
- Attachment: PDF with suspicious HeadlessChrome metadata
- Attachment: QR code with credential phishing indicators
- Attachment: QR code with userinfo portion
- Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
- Attachment: RFP/RFQ impersonating government entities
- Attachment: Self-sender PDF with minimal content and view prompt
- Attachment: Suspicious employee policy update document lure
- Attachment: USDA bid invitation impersonation
- Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
- BEC with unusual reply-to or return-path mismatch
- BEC/Fraud: Fake investment outreach from suspicious TLD
- BEC/Fraud: Generic scam attempt to undisclosed recipients
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- BEC/Fraud: Penpal scam
- BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
- BEC/Fraud: Romance scam
- BEC/Fraud: Scam lure with freemail pivot
- BEC/Fraud: Student loan callback phishing
- BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
- Benefits enrollment impersonation
- Body HTML: Recipient SLD in HTML class
- Body: Embedded email headers indicative of thread hijacking/abuse
- Body: HTML whitespace stuffing with short initial message
- Brand impersonation: AARP
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: ADP
- Brand impersonation: AliExpress
- Brand impersonation: Amazon
- Brand impersonation: Amazon Web Services (AWS)
- Brand impersonation: Amazon with suspicious attachment
- Brand impersonation: American Express (AMEX)
- Brand impersonation: Apple
- Brand impersonation: Aquent
- Brand impersonation: Aramco
- Brand impersonation: AuthentiSign
- Brand impersonation: Automobile assistance associations
- Brand impersonation: Bank of America
- Brand impersonation: Barracuda Networks
- Brand impersonation: Binance
- Brand impersonation: Blockchain.com
- Brand impersonation: Booking.com
- Brand impersonation: Box file sharing service
- Brand impersonation: Canada Revenue Agency
- Brand impersonation: Capital One
- Brand impersonation: Charles Schwab
- Brand impersonation: Chase Bank
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Cloud services with credential theft intent
- Brand impersonation: Coinbase
- Brand impersonation: Coinbase with suspicious links
- Brand impersonation: Dashlane
- Brand impersonation: DHL
- Brand impersonation: DigitalOcean
- Brand impersonation: Discord notification
- Brand Impersonation: Disney
- Brand impersonation: DocSend
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign (QR code)
- Brand impersonation: DocuSign with embedded QR code
- Brand impersonation: DoorDash
- Brand impersonation: Dotloop
- Brand impersonation: Dropbox
- Brand impersonation: Enbridge
- Brand impersonation: Evite
- Brand impersonation: Exodus
- Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
- Brand impersonation: Fake Fax
- Brand impersonation: Fastway
- Brand impersonation: FedEx
- Brand impersonation: Figma with malicious document access overlay
- Brand impersonation: File sharing notification with template artifacts
- Brand impersonation: FINRA
- Brand Impersonation: Gemini Trust Company
- Brand impersonation: Github
- Brand impersonation: GitHub with callback scam indicators
- Brand impersonation: GoDaddy
- Brand Impersonation: Google (QR Code)
- Brand impersonation: Google Careers
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google fake sign-in warning
- Brand impersonation: Google using Microsoft Forms
- Brand impersonation: Google Workspace alert notification
- Brand impersonation: Greenvelope
- Brand impersonation: Gusto
- Brand impersonation: Hulu
- Brand impersonation: Interac
- Brand impersonation: Internal Revenue Service
- Brand impersonation: KnowBe4
- Brand impersonation: LastPass
- Brand impersonation: Ledger
- Brand impersonation: LinkedIn
- Brand impersonation: Mailchimp
- Brand impersonation: Mailgun
- Brand impersonation: Marriott with gift language
- Brand impersonation: McAfee
- Brand impersonation: Meta and subsidiaries
- Brand impersonation: MetaMask
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
- Brand impersonation: Microsoft logo or suspicious language with open redirect
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft quarantine release notification in body
- Brand impersonation: Microsoft quarantine release notification in image attachment
- Brand impersonation: Microsoft Teams
- Brand impersonation: Microsoft Teams invitation
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Morgan Stanley
- Brand impersonation: Navan
- Brand impersonation: Netflix
- Brand impersonation: Norton
- Brand impersonation: Office 365 mail service
- Brand impersonation: Okta
- Brand impersonation: OpenAI with payment issues
- Brand impersonation: Outlook
- Brand impersonation: Paperless Post
- Brand Impersonation: PayPal
- Brand impersonation: PNC
- Brand Impersonation: Procore
- Brand impersonation: Proofpoint secure messaging without legitimate indicators
- Brand impersonation: Punchbowl
- Brand impersonation: Purdue ePlanroom with suspicious links
- Brand impersonation: Quickbooks
- Brand impersonation: QuickBooks dispute notification
- Brand impersonation: QuickBooks notification from Intuit themed company name
- Brand impersonation: Ripple
- Brand impersonation: Robert Half
- Brand impersonation: Robinhood
- Brand impersonation: SendGrid
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand Impersonation: Shein
- Brand impersonation: Silicon Valley Bank
- Brand impersonation: SiriusXM
- Brand impersonation: Social Security Administration
- Brand impersonation: Spotify
- Brand impersonation: Square
- Brand impersonation: Squarespace
- Brand impersonation: State Farm
- Brand impersonation: Stellar Development Foundation (SDF)
- Brand Impersonation: Stripe
- Brand impersonation: Stripe notification
- Brand impersonation: Sublime Security
- Brand impersonation: Survey request with credential theft indicators
- Brand impersonation: TikTok
- Brand impersonation: Toronto-Dominion Bank
- Brand impersonation: Trust Wallet
- Brand impersonation: TurboTax
- Brand impersonation: Twitter
- Brand impersonation: UK government Home Office
- Brand impersonation: ukr[.]net
- Brand impersonation: United Healthcare
- Brand impersonation: UPS
- Brand impersonation: USPS
- Brand impersonation: Vanguard
- Brand impersonation: Vanta
- Brand impersonation: Venmo
- Brand impersonation: Wells Fargo
- Brand impersonation: WeTransfer
- Brand impersonation: Wise
- Brand impersonation: Wix
- Brand impersonation: Xodo Sign
- Brand impersonation: Zoom
- Brand impersonation: Zoom (strict)
- Brand impersonation: Zoom via lookalike domain
- Brand impersonation: Zoom with deceptive link display
- Brand spoof: Dropbox
- Business Email Compromise (BEC) attempt from unsolicited sender
- Business Email Compromise (BEC) attempt from untrusted sender
- Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
- Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
- Business Email Compromise: Request for mobile number via reply thread hijacking
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing solicitation in message body
- Callback phishing via Adobe Sign comment
- Callback phishing via Apple ID display name abuse
- Callback phishing via calendar invite
- Callback phishing via DocuSign comment
- Callback phishing via extensionless rfc822 attachment
- Callback phishing via Google Group abuse
- Callback phishing via Intuit service abuse
- Callback phishing via Microsoft comment
- Callback Phishing via Signable E-Signature Request
- Callback phishing via SignFree e-signature request
- Callback phishing via Xodo Sign comment
- Callback phishing via Yammer comment
- Callback phishing via Zelle Service Abuse
- Callback phishing via Zoho service abuse
- Callback Phishing via Zoom comment
- Callback phishing: AOL senders with suspicious HTML template or PDF attachment
- Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
- Callback phishing: Social Security Administration fraud
- Callback phishing: SumUp infrastructure abuse
- Callback scam: Impersonation via TimeTrade infrastructure
- Canva infrastructure abuse
- Catbox.moe link from untrusted source
- ClickFunnels link infrastructure abuse
- Cloud storage impersonation with credential theft indicators
- Commonly abused sender TLD with engaging language
- Compensation review with QR code in attached EML
- Constant Contact link infrastructure abuse
- COVID-19 themed fraud with sender and reply-to mismatch or compensation award
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing link (unknown sender)
- Credential Phishing via Dropbox comment abuse
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: AWS Lambda URL with recipient targeting
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Email delivery failure impersonation
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake card notification with tracking lure
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Financial lure via ActiveCampaign infrastructure
- Credential phishing: Generic document share template
- Credential phishing: Generic document sharing
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Image as content, short or no body contents
- Credential phishing: Onedrive impersonation
- Credential phishing: Re-Authentication lure
- Credential phishing: Suspicious e-sign agreement document notification
- Credential phishing: Suspicious subject with urgent financial request and link
- Credential phishing: Tax form impersonation with payment request
- Cyrillic vowel substitution in subject or display name from unknown sender
- Deceptive Dropbox mention
- Display name and subject impersonation using recipient SLD (new sender)
- Display Name Emoji with Financial Symbols
- Display name impersonation using recipient SLD
- Disposable sender email (unsolicited)
- DLP: Argentina DNI Number
- DLP: Australia Passport Number
- DLP: Austria Identity Card
- DLP: Brazil CPF Number
- DLP: Brazil RG Number
- DLP: Canada Credit Card Number
- DLP: Canada Passport Number
- DLP: Chile Identity Card Number
- DLP: Colombia Citizenship Card Number
- DLP: Cyprus Identity Card
- DLP: EU Debit Card Number
- DLP: France Credit Card Number
- DLP: France Debit Card Number
- DLP: France Driver's License Number
- DLP: France National ID Card (CNI)
- DLP: France Passport Number
- DLP: France Tax Identification Number (SPI)
- DLP: Germany Passport Number
- DLP: Greece National ID Card
- DLP: India Passport Number
- DLP: Israel Bank Account Number
- DLP: Israel Credit Card Number
- DLP: Japan Bank Account Number
- DLP: Japan Credit Card Number
- DLP: Japan Passport Number
- DLP: Luxembourg National ID (Natural Persons)
- DLP: Luxembourg National ID (Non-Natural Persons)
- DLP: Malta Identity Card Number
- DLP: Malta Tax ID Number
- DLP: Mexico Passport Number
- DLP: Netherlands Tax Identification Number
- DLP: Slovenia Tax Identification Number
- DLP: Spain Passport Number
- DLP: Sweden Tax Identification Number
- DLP: Taiwan ID Number
- DLP: Turkey ID Number
- DLP: UK Passport Number
- DLP: US Passport Number
- DocuSign impersonation via CloudHQ links
- DocuSign impersonation via spoofed Intuit sender
- Domain impersonation: Freemail reply-to local lookalike with financial request
- EML attachment with credential theft language (unknown sender)
- Employee impersonation with urgent request (untrusted sender)
- Employee impersonation: Payroll fraud
- Encrypted Microsoft Office files from untrusted sender
- Extortion / sextortion (untrusted sender)
- Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
- Extortion / sextortion in attachment from untrusted sender
- Fake email quarantine notification
- Fake message thread - Untrusted sender with a mismatched freemail reply-to address
- Fake message thread with a suspicious link and engaging language from an unknown sender
- Fake request for tax preparation
- Fake scan-to-email message
- Fake shipping notification with link to free file hosting
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- Fake Zoom meeting invite with suspicious link
- File sharing link from suspicious sender domain
- File sharing link with a suspicious subject
- Fraudulent e-commerce operators
- Fraudulent order confirmation/shipping notification from Chinese sender domain
- Free email provider sender with mismatched provider reply-to
- Free subdomain link with credential theft indicators
- Free subdomain link with login or captcha (untrusted sender)
- Generic service abuse from newly registered domain
- Google Drive abuse: Credential phishing link
- Google Drive direct download link from unsolicited sender
- Google Notification alert link from non-Google sender
- Google presentation open redirect phishing
- Google services using g.co shortlinks
- Google share notification with suspicious comments
- Hardbacon infrastructure abuse
- Headers: Fake in-reply-to with wildcard sender and missing thread context
- Headers: Invalid recipient domain with mismatched reply-to from new sender
- Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
- Headers: System account impersonation with empty sender address
- Headers: X-Source-Auth mismatch with mismatched reply-to domain
- Honorific greeting BEC attempt with sender and reply-to mismatch
- HR impersonation via e-sign agreement comment
- HTML smuggling containing recipient email address
- Image as content with a link to an open redirect
- Impersonation using recipient domain (untrusted sender)
- Impersonation: Chrome Web Store policy
- Impersonation: Employee using fabricated identity in initial contact
- Impersonation: Executive using numbered local part
- Impersonation: Fake Gmail attachment
- Impersonation: Fake product discount promotion
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Legal firm with copyright infringement notice
- Impersonation: Salesforce fake campaign failure notification
- Impersonation: SharePoint reply header anomaly
- Impersonation: Suspected supplier impersonation with suspicious content
- Inbound message from popular service via newly observed distribution list
- Investor solicitation with organization targeting
- Invoicera infrastructure abuse
- Job scam (unsolicited sender)
- Job scam with specific salary pattern
- Link abuse: Self-service creation platform link with suspicious recipient behavior
- Link to auto-downloaded DMG in archive
- Link to auto-downloaded DMG in encrypted zip
- Link: .onion From Unsolicited Sender
- Link: Adobe share from unsolicited sender
- Link: Adobe share with suspicious indicators
- Link: Apple App Store malicious ad manager themed apps from free email provider
- Link: Apple TestFlight from suspicious sender
- Link: BEC with newly registered domains and financial keywords
- Link: Common hidden directory observed
- Link: Credential harvesting with excess padding evasion
- Link: Credential phishing link with undisclosed recipients
- Link: Credential phishing traversing Russian infrastructure
- Link: Credential phishing via WordPress
- Link: Cryptocurrency fraud with suspicious links
- Link: Direct download of executable file
- Link: Direct link to limewire hosted file
- Link: Direct link to riddle.com hosted showcase
- Link: Direct link to Zoom Docs from non-Zoom sender
- Link: Direct MSI download from low reputation domain
- Link: Direct POWR.io Form Builder with suspicious patterns
- Link: Display text matches subject line
- Link: Executable file download with suspicious message content
- Link: File sharing impersonation with suspicious language and sending patterns
- Link: Financial account issue with suspicious indicators
- Link: Flagged bit.ly link
- Link: Free file hosting with undisclosed recipients
- Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
- Link: GoPhish query param values
- Link: Hotel booking spoofed display URL
- Link: Intuit link abuse with file share context
- Link: Invoice or receipt from freemail sender with customer service number
- Link: IPFS
- Link: Jensi file preview link from unsolicited sender
- Link: Job recruitment lure from unsolicited sender with suspicious hosting
- Link: Mamba 2FA phishing kit
- Link: Microsoft Dynamics 365 form phishing
- Link: Microsoft impersonation using hosted png with suspicious link
- Link: Microsoft protected message with matching sender and recipient addresses
- Link: Multiple HTTP protocols in single URL
- Link: Multistage landing - Abused Adobe Acrobat hosted PDF
- Link: Multistage landing - Abused Adobe frame.io
- Link: Multistage landing - Abused Docusign
- Link: Multistage landing - Abused Google Drive
- Link: Multistage landing - FreshDesk knowledge base abuse
- Link: Multistage landing - Ludus presentation
- Link: Multistage landing - Microsoft Forms abuse
- Link: Multistage landing - Published Google Doc
- Link: Multistage landing - Scribd document
- Link: MyActiveCampaign Link Abuse
- Link: Non-standard port 8443 in display URL
- Link: Observed URL pattern with specific domain registrar
- Link: PDF filename impersonation with credential theft language
- Link: Personalized URL with recipient address on commonly abused web service
- Link: QR code with phishing disposition in img or pdf
- Link: QR Code with suspicious language (untrusted sender)
- Link: QuickBooks image lure with suspicious link
- Link: Recipient domain in URL path
- Link: Referrer anonymization service from untrusted sender
- Link: Romance/Sexual Language With Suspicious Link
- Link: ScreenConnect installer with suspicious relay domain
- Link: Secure SharePoint file share from new or unusual sender
- Link: Self-sender credential theft with configuration placeholder
- Link: Self-sender with sender org in subject and credential theft indicator
- Link: Self-sent message with quarterly document review request
- Link: Self-sent PDF lure with subject correlation
- Link: SharePoint filename matches org name
- Link: SharePoint OneNote or PDF link with self sender behavior
- Link: Single character path with credential theft body and self sender behavior or invalid recipient
- Link: Spam website with evasion indicators
- Link: Suspicious SharePoint document name
- Link: Suspicious Sharepoint folder share
- Link: Tax document lure Portuguese/Spanish with suspicious domains
- Link: URL shortener with copy-paste instructions and credential theft language
- Link: Webflow link from unsolicited sender
- Link: Zoho form link from unsolicited sender
- Lookalike sender domain (untrusted sender)
- macOS malware: Compiled AppleScript with document double-extension
- Malware: Pikabot delivery via URL auto-download
- Mass campaign: Cross Site Scripting (XSS) attempt
- Mass campaign: recipient address in subject, body, and link (untrusted sender)
- Microsoft device code phishing
- Microsoft infrastructure abuse with suspicious patterns
- New sender domain (<=10d) from untrusted sender
- Newly registered sender or reply-to domain with newly registered linked domain
- Notion suspicious file share
- Observed IOC: Malicious sender domains
- Observed IOC: Malicious sender email addresses
- Observed IOC: Malicious sender root domains
- Open redirect: adnxs.com
- Open redirect: agena-smile.com
- Open redirect: amaterasu-for-website-5.com
- Open redirect: api.spently.com
- Open redirect: Artisteer
- Open redirect: artkaderne
- Open Redirect: asemailmgmteu.com
- Open redirect: astroarts.co.jp
- Open redirect: Avast
- Open redirect: bananaguide.com
- Open redirect: bangkoksync.com
- Open redirect: bestdeals.today
- Open redirect: Bitrix24 URL Path
- Open redirect: BMW USA
- Open redirect: bubblelife.com
- Open redirect: buildingengines.com
- Open redirect: business.google.com website_shared URL Param
- Open redirect: chkc.com.hk
- Open redirect: City of Calgary
- Open redirect: Club-OS
- Open redirect: convertcart.com
- Open redirect: Dell
- Open redirect: designsori.com
- Open redirect: documentmailbox.com
- Open redirect: eaoko.org
- Open redirect: easycamp.com
- Open redirect: embluemail.com
- Open redirect: emlakarsa
- Open redirect: emp.eduyield.com
- Open redirect: eodcnetworkdirect.com
- Open redirect: events.csiro.au
- Open redirect: ExacTag
- Open redirect: fenc.com
- Open redirect: g7.fr
- Open redirect: giving.lluh.org
- Open redirect: Google Ad Services
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: ijf.org
- Open redirect: Indeed
- Open redirect: IndiaTimes
- Open redirect: isadatalab.com
- Open redirect: k-mil.net
- Open redirect: labcluster.com
- Open redirect: LearningApps
- Open redirect: Linkedin
- Open redirect: LinkedIn Redirect
- Open redirect: listing.ca
- Open redirect: magic4media.com
- Open redirect: magiccity.ne.jp
- Open redirect: magneticmarketing.com
- Open redirect: mail.spiceworks.com
- Open redirect: marketing.edinburghairport.com
- Open redirect: McGill University
- Open redirect: Medium
- Open redirect: mindmixer.com
- Open redirect: museepicassoparis.fr
- Open redirect: Newegg
- Open redirect: next2.io
- Open redirect: nowlifestyle.com
- Open redirect: obunsha.co.jp
- Open redirect: Panera Bread
- Open redirect: people.anuneo.com
- Open redirect: phoenixartstudio.net
- Open redirect: PIRL San Diego
- Open redirect: plasticsurgery.or.kr
- Open redirect: pmifunds.com
- Open redirect: predictiveresponse.net
- Open redirect: PremierBet
- Open redirect: qrxtech.com
- Open redirect: queue.swytchbike.com
- Open redirect: radiopublic.com
- Open redirect: retailrocket.net
- Open redirect: ringaraja.net
- Open redirect: Samsung
- Open redirect: sciencebuddies.org
- Open redirect: secondstreetapp.com
- Open redirect: shoppermeet.net
- Open redirect: shoppingwebapi.didatravel.com
- Open redirect: Signature Travel Network
- Open redirect: Slack
- Open redirect: slubnaglowie.pl
- Open redirect: smartadserver.com
- Open redirect: smore.com
- Open redirect: Snapchat
- Open redirect: social.bigpress.net
- Open redirect: ssg-financial.com
- Open redirect: stats.lib.pdx.edu
- Open redirect: storematch.jp
- Open redirect: Ticketmaster
- Open redirect: TikTok
- Open redirect: tkqlhce.com
- Open redirect: tuttocauzioni.it
- Open redirect: typedrawers.com
- Open redirect: unitedwaynwvt.org
- Open redirect: ust.hk
- Open redirect: vconfex.com
- Open redirect: VK
- Open redirect: weblinkconnect.com
- Open redirect: whitefox.pl
- Open redirect: Xfinity CMP Redirection to Google AMP
- Open redirect: xfinity.com
- Open redirect: YouTube
- PayPal invoice abuse
- Potential prompt injection attack in body HTML
- Punycode sender domain
- QR code to auto-download of a suspicious file type (unsolicited)
- QR Code with suspicious indicators
- Reconnaissance: All recipients cc/bcc'd or undisclosed
- Reconnaissance: Email address harvesting attempt
- Reconnaissance: Empty subject with mismatched reply-to from new sender
- Reconnaissance: Hotel booking reply-to redirect
- Reconnaissance: Large unknown recipient list
- Reconnaissance: Short generic greeting message
- Recruitee Infrastructure Abuse
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Russia return-path TLD (untrusted sender)
- Salesforce infrastructure abuse
- Scam soliciting employer review/rating
- Scam: Fake estate sale offering welding equipment and tools
- Scam: Piano giveaway
- Self-sender with copy/paste instructions and suspicious domains (French/Français)
- Self-sent fake PDF attachment with misleading link
- Sender name contains Active Directory distinguished name
- Sender: IP address in local part
- Sendgrid onmicrosoft.com domain phishing
- Service abuse: Adobe Creative Cloud share from an unsolicited sender address
- Service abuse: Adobe Sign notification from an unsolicited reply-to address
- Service abuse: Amazon invitation with suspected callback phishing
- Service abuse: Apple TestFlight with suspicious developer reference
- Service abuse: AppSheet infrastructure with suspicious indicators
- Service abuse: AWS SNS callback scam impersonation
- Service abuse: Behance document sharing with suspicious language
- Service Abuse: Box file sharing with credential phishing intent
- Service abuse: Calendly callback scam detection
- Service abuse: Callback phishing via Microsoft Teams invite
- Service abuse: Cisco secure email service with financial request
- Service abuse: Demio notifications with suspicious content patterns
- Service abuse: DocSend share from an unsolicited reply-to address
- Service abuse: DocSend share from newly registered domain
- Service abuse: DocuSign notification with suspicious sender or document name
- Service abuse: DocuSign share from an unsolicited reply-to address
- Service abuse: Domains By Proxy sender
- Service abuse: Dropbox share from an unsolicited reply-to address
- Service abuse: Dropbox share from new domain
- Service abuse: Dropbox share with suspicious sender or document name
- Service abuse: Elastic alerts extortion
- Service Abuse: ExactTarget with suspicious sender indicators
- Service abuse: Facebook business with action required subject
- Service abuse: Free provider with SendGrid routing
- Service abuse: GetAccept callback scam content
- Service abuse: GitHub notification with excessive mentions and suspicious links
- Service Abuse: GoDaddy infrastructure
- Service abuse: Google account notification with links to free file host
- Service abuse: Google application integration redirecting to suspicious hosts
- Service abuse: Google Calendar notification with callback scam language
- Service abuse: Google classroom solicitation
- Service abuse: Google Drive share from an unsolicited reply-to address
- Service abuse: Google Drive share from new reply-to domain
- Service abuse: Google Firebase sender address with suspicious content
- Service abuse: Google Groups callback scam
- Service abuse: HelloSign from an unsolicited sender address
- Service Abuse: HelloSign share with suspicious sender or document name
- Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
- Service abuse: IBM IAM account notification with callback scam indicators
- Service abuse: Meetup.com redirect with brand impersonation
- Service abuse: Microsoft Power Apps callback scam
- Service abuse: Microsoft Power Automate callback scam impersonation
- Service abuse: Microsoft Power BI callback scam
- Service abuse: Microsoft with suspicious indicators in subject
- Service abuse: Monday.com callback scam
- Service abuse: Monday.com infrastructure with phishing intent
- Service abuse: MongoDB Atlas callback scam
- Service Abuse: Nifty.com with impersonation
- Service abuse: Payoneer callback scam
- Service abuse: PayPal manager account creation with callback scam indicators
- Service abuse: QuickBooks notification from new domain
- Service abuse: QuickBooks notification with suspicious comments
- Service abuse: Recruiting with suspicious language patterns from legitimate platforms
- Service abuse: Roomsy with unrelated body content
- Service abuse: SendGrid impersonation via Sendgrid from new sender
- Service abuse: SendThisFile with credential theft and financial language
- Service abuse: Square marketing with suspicious QR code
- Service abuse: Substack credential theft with confusable characters and branded button redirects
- Service abuse: SurveyMonkey survey from newly registered domain
- Service abuse: Suspicious Datadog alert
- Service abuse: Suspicious Zoom Docs link
- Service abuse: Task management message sent via SendGrid
- Service abuse: Trello board invitation with VIP impersonation
- Service abuse: Vimeo with external plain-text links in message
- Service abuse: WeTransfer callback scam
- Service Abuse: Zoom with freemail reply-to and recipient address in greeting
- Service abuse: Zoom with newly registered reply-to domain
- Sharepoint link likely unrelated to sender
- Sharepoint online with external recipients and external display name
- SharePoint OTP for filename matching org name
- Spam/fraud: Predatory journal/research paper request
- Spam: Attendee list solicitation
- Spam: BlackBaud infrastructure abuse
- Spam: Campaign with excessive space/char obfuscation and free file hosted link
- Spam: Cryptocurrency airdrop/giveaway
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Fake dating profile notification
- Spam: Fake photo share
- Spam: Firebase password reset from suspicious sender
- Spam: Ghostwriting services scam with manipulative language
- Spam: Item giveaway spam template
- Spam: Link to blob.core.windows.net from new domain (<30d)
- Spam: Mastercard promotional content with image-based body
- Spam: New link domain (<=10d) and emojis
- Spam: Sexually explicit content with emoji in subject from freemail provider
- Spam: Sexually explicit Google Drive share
- Spam: Sexually explicit Google group invitation
- Spam: Sexually explicit Looker Studio report
- Spam: Single recipient duplicated in cc
- Spam: URL shortener with short body content and emojis
- Spoofable internal domain with suspicious signals
- Stripe invoice abuse
- Suspected cross-site scripting (XSS) found in subject
- Suspected lookalike domain with suspicious language
- Suspected WordPress abuse with cross-site scripting (XSS) indicators
- Suspicious attachment with unscannable Cloudflare link
- Suspicious display name: Gmail sender with engaging language
- Suspicious DocuSign share from new domain
- Suspicious invoice reference with missing or image-only attachments
- Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
- Suspicious Links to Cloudflare R2 and Edge Services
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious newly registered reply-to domain with engaging financial or urgent language
- Suspicious recipient pattern and language with low reputation link to login
- Suspicious recipients pattern with no Compauth pass and suspicious content
- Suspicious request for financial information
- Suspicious sender display name with long procedurally generated text blob
- Suspicious SharePoint file sharing
- Suspicious subject with long procedurally generated text blob
- Tax Form: W-8BEN solicitation
- Truth Social infrastructure abuse via link redirect
- Twitter infrastructure abuse via link shortener
- Unusually long local part from untrusted sender address
- Vendor compromise: GovDelivery message with suspicious link
- Vendor impersonation: Thread hijacking with typosquat domain
- Venmo payment request abuse
- VIP / Executive impersonation (strict match, untrusted)
- VIP / Executive impersonation in subject (untrusted)
- VIP Impersonation via Google Group relay with suspicious indicators
- VIP impersonation with BEC language (near match, untrusted sender)
- VIP impersonation with invoicing request
- VIP impersonation with urgent request (strict match, untrusted sender)
- VIP impersonation with w2 request with reply-to mismatch
- VIP local_part impersonation from unsolicited sender
- X (Twitter) impersonation with credential phishing motives
- Xero infrastructure abuse
- Xero invoice abuse
- Zoom Events newsletter abuse