Detection rules › By event

Sublime-Message-subject Event ID 7000025

378 detection rules reference this event. View event page.

Sublime MQL (378)

Advance Fee Fraud (AFF) from freemail provider or suspicious TLD severity medium
Attachment: Adobe image lure in body or attachment with suspicious link severity medium
Attachment: Calendar file with invisible Unicode characters severity high
Attachment: Callback phishing solicitation via image file severity high
Attachment: Callback phishing solicitation via pdf file severity high
Attachment: Callback phishing solicitation via text-based file severity medium
Attachment: Cold outreach with invitation subject and not attachment severity high
Attachment: Credit card application with WhatsApp contact severity medium
Attachment: EML file contains HTML attachment with login portal indicators severity high
Attachment: EML file with HTML attachment (unsolicited) severity medium
Attachment: EML with link to credential phishing page severity high
Attachment: Encrypted PDF with credential theft body severity medium
Attachment: Encrypted zip file with payment-related lure severity medium
Attachment: Fake attachment image lure severity medium
Attachment: Fake voicemail via PDF severity medium
Attachment: Legal themed message or PDF with suspicious indicators severity medium
Attachment: Microsoft 365 credential phishing severity high
Attachment: PDF bid/proposal lure with credential theft indicators severity medium
Attachment: PDF proposal with credential theft indicators severity high
Attachment: QR code link with base64-encoded recipient address severity high
Attachment: RFP/RFQ impersonating government entities severity high
Attachment: Suspicious employee policy update document lure severity medium
Attachment: USDA bid invitation impersonation severity medium
BEC/Fraud: Fake investment outreach from suspicious TLD severity medium
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail severity medium
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply severity medium
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns severity medium
BEC: Employee impersonation with subject manipulation severity high
Benefits enrollment impersonation severity high
Body: Embedded email headers indicative of thread hijacking/abuse severity medium
Body: PayApp transaction reference pattern severity medium
Brand impersonation: Adobe (QR code) severity high
Brand impersonation: Adobe with suspicious language and link severity high
Brand impersonation: Amazon severity low
Brand impersonation: Aramco severity medium
Brand impersonation: Automobile assistance associations severity high
Brand impersonation: Binance severity medium
Brand impersonation: Box file sharing service severity medium
Brand impersonation: Canada Revenue Agency severity medium
Brand impersonation: Capital One severity high
Brand impersonation: Chase Bank severity high
Brand impersonation: DHL severity low
Brand impersonation: Discord notification severity medium
Brand impersonation: DocuSign severity high
Brand impersonation: Enbridge severity medium
Brand impersonation: Evite severity medium
Brand impersonation: Fake Fax severity medium
Brand impersonation: Figma with malicious document access overlay severity high
Brand impersonation: File sharing notification with template artifacts severity low
Brand Impersonation: Gemini Trust Company severity medium
Brand impersonation: Github severity high
Brand impersonation: GitHub with callback scam indicators severity medium
Brand Impersonation: Google (QR Code) severity high
Brand impersonation: Google Drive fake file share severity medium
Brand impersonation: Google Workspace alert notification severity medium
Brand impersonation: Greenvelope severity medium
Brand impersonation: Interac severity medium
Brand impersonation: Internal Revenue Service severity high
Brand impersonation: Mailgun severity medium
Brand impersonation: Marriott with gift language severity medium
Brand impersonation: McAfee severity medium
Brand impersonation: Meta and subsidiaries severity medium
Brand impersonation: Microsoft severity high
Brand impersonation: Microsoft (QR code) severity high
Brand impersonation: Microsoft fake sign-in alert severity medium
Brand impersonation: Microsoft Teams invitation severity high
Brand impersonation: Microsoft with embedded logo and credential theft language severity high
Brand impersonation: Microsoft with low reputation links severity medium
Brand impersonation: Navan severity medium
Brand impersonation: Okta severity medium
Brand impersonation: OpenAI with payment issues severity high
Brand impersonation: Paperless Post severity high
Brand impersonation: PNC severity medium
Brand Impersonation: Procore severity medium
Brand impersonation: QuickBooks dispute notification severity high
Brand impersonation: Robinhood severity medium
Brand impersonation: SendGrid severity medium
Brand Impersonation: ShareFile severity medium
Brand impersonation: Sharepoint severity high
Brand impersonation: Sharepoint fake file share severity medium
Brand impersonation: SharePoint PDF attachment with credential theft language severity medium
Brand impersonation: Social Security Administration severity medium
Brand impersonation: Toronto-Dominion Bank severity medium
Brand impersonation: UK government Home Office severity high
Brand impersonation: ukr[.]net severity medium
Brand impersonation: UPS severity low
Brand impersonation: USPS severity high
Brand impersonation: Wells Fargo severity high
Brand impersonation: WeTransfer severity high
Brand impersonation: Zoom severity medium
Brand impersonation: Zoom via lookalike domain severity high
Brand impersonation: Zoom with deceptive link display severity medium
Business Email Compromise (BEC) attempt from untrusted sender severity medium
Business Email Compromise (BEC) attempt from untrusted sender (French/Français) severity medium
Business Email Compromise (BEC) with request for mobile number severity medium
Callback phishing via DocuSign comment severity high
Callback phishing via Google Meet severity medium
Callback phishing via Intuit service abuse severity medium
Callback phishing via Microsoft comment severity medium
Callback phishing via Yammer comment severity medium
Callback phishing via Zelle Service Abuse severity medium
Callback phishing via Zoho service abuse severity medium
Callback Phishing via Zoom comment severity medium
Callback scam: Impersonation via TimeTrade infrastructure severity medium
ClickFunnels link infrastructure abuse severity high
Cloud storage impersonation with credential theft indicators severity medium
Commonly abused sender TLD with engaging language severity medium
Compensation review with QR code in attached EML severity high
Constant Contact link infrastructure abuse severity high
COVID-19 themed fraud with sender and reply-to mismatch or compensation award severity medium
Credential phishing language and suspicious indicators (unknown sender) severity medium
Credential phishing link (unknown sender) severity high
Credential phishing: Blue button styled link with file-sharing template artifacts severity low
Credential phishing: Email delivery failure impersonation severity high
Credential phishing: Engaging language and other indicators (untrusted sender) severity medium
Credential phishing: Fake card notification with tracking lure severity medium
Credential phishing: Fake password expiration from new and unsolicited sender severity medium
Credential phishing: Fake storage alerts (unsolicited) severity medium
Credential phishing: Generic document sharing severity medium
Credential phishing: Onedrive impersonation severity high
Credential phishing: Re-Authentication lure severity high
Credential phishing: Suspicious e-sign agreement document notification severity medium
Credential Phishing: Suspicious language, link, recipients and other indicators severity medium
Credential phishing: Suspicious subject with urgent financial request and link severity medium
Credential phishing: Tax form impersonation with payment request severity medium
Cyrillic vowel substitution in subject or display name from unknown sender severity medium
Cyrillic vowel substitutions with suspicious subject from unknown sender severity medium
Display name and subject impersonation using recipient SLD (new sender) severity medium
Display Name Emoji with Financial Symbols severity low
DLP: Argentina DNI Number severity high
DLP: Australia Bank Account Number severity medium
DLP: Australia Driver's License Number severity medium
DLP: Australia Medical Account Number severity high
DLP: Australia Passport Number severity high
DLP: Australia SWIFT Code severity medium
DLP: Australia Tax File Number severity medium
DLP: Austria Identity Card severity high
DLP: Austria Social Security Number severity high
DLP: Austria Tax Identification Number severity medium
DLP: AWS Credentials severity high
DLP: Azure Authentication Token severity high
DLP: Basic Authentication Header severity medium
DLP: Belgium National Number severity high
DLP: Brazil CPF Number severity high
DLP: Brazil RG Number severity high
DLP: Bulgaria Uniform Civil Number severity high
DLP: Canada Bank Account Number severity medium
DLP: Canada Driver's License Number severity medium
DLP: Canada Health Service Number severity high
DLP: Canada Passport Number severity high
DLP: Canada Personal Health Identification Number (PHIN) severity high
DLP: Canada Social Insurance Number (SIN) severity high
DLP: Chile Identity Card Number severity high
DLP: China Resident ID Number severity high
DLP: Colombia Citizenship Card Number severity high
DLP: Croatia Personal Identification (OIB) severity high
DLP: Cyprus Identity Card severity high
DLP: Czech Personal Identity Number severity high
DLP: Denmark Personal Identification Number severity high
DLP: Estonia Personal Identification Code severity high
DLP: Finland National ID severity high
DLP: France Bank Account Number severity medium
DLP: France Driver's License Number severity medium
DLP: France National ID Card (CNI) severity high
DLP: France Passport Number severity high
DLP: France Social Security Number (INSEE) severity high
DLP: France Tax Identification Number (SPI) severity medium
DLP: GCP API Key severity high
DLP: Germany Bank Account Number (IBAN) severity medium
DLP: Germany Driver's License Number severity medium
DLP: Germany Identity Card Number (Personalausweisnummer) severity high
DLP: Germany Passport Number severity high
DLP: Germany Tax Identification Number severity medium
DLP: GitHub Token severity high
DLP: Greece National ID Card severity high
DLP: Greece Social Security Number (AMKA) severity high
DLP: Greece Tax Identification Number severity medium
DLP: Hungary Personal Identification Number severity high
DLP: Hungary Social Security Number (TAJ) severity high
DLP: Hungary Tax Identification Number severity medium
DLP: IMEI Number severity medium
DLP: IMSI Number severity medium
DLP: India Aadhaar Number severity high
DLP: India Bank Account Number severity medium
DLP: India PAN Number severity high
DLP: India Passport Number severity high
DLP: IP Address severity low
DLP: Ireland Personal Public Service (PPS) Number severity high
DLP: Israel Bank Account Number severity medium
DLP: Israel National ID severity high
DLP: Israel SWIFT Code severity medium
DLP: Italy Fiscal Code severity high
DLP: Japan Bank Account Number severity medium
DLP: Japan Driver's License Number severity medium
DLP: Japan MyNumber ID severity high
DLP: Japan Passport Number severity high
DLP: Japan Social Insurance Number severity high
DLP: JSON Web Token (JWT) severity medium
DLP: Latvia Personal Code severity high
DLP: Lithuania Personal Code severity high
DLP: Luxembourg National ID (Natural Persons) severity high
DLP: Luxembourg National ID (Non-Natural Persons) severity medium
DLP: MAC Address severity low
DLP: Malta Identity Card Number severity high
DLP: Malta Tax ID Number severity medium
DLP: Mexico CURP Number severity high
DLP: Mexico Passport Number severity high
DLP: Netherlands Citizen's Service (BSN) Number severity high
DLP: Netherlands Tax Identification Number severity medium
DLP: OAuth Client Secret severity high
DLP: Poland Identity Card severity high
DLP: Poland Tax Identification Number severity medium
DLP: Portugal Citizen Card Number severity high
DLP: Portugal Tax Identification Number severity medium
DLP: Private Key severity high
DLP: Romania Personal Numerical Code severity high
DLP: Saudi Arabia IBAN severity medium
DLP: Saudi Arabia National ID severity high
DLP: Saudi Arabia SWIFT Code severity medium
DLP: Slack Token severity high
DLP: Slovakia Personal Number severity high
DLP: Slovenia Tax Identification Number severity medium
DLP: Slovenia Unique Master Citizen Number severity high
DLP: South Korea Resident Registration Number (RRN) severity high
DLP: Spain Bank Account Number severity medium
DLP: Spain DNI/NIE severity high
DLP: Spain Passport Number severity high
DLP: Spain Social Security Number severity high
DLP: Spain Tax Identification Number severity medium
DLP: SSL Certificate severity medium
DLP: Sweden National ID severity high
DLP: Sweden Tax Identification Number severity medium
DLP: Taiwan ID Number severity high
DLP: Turkey ID Number severity high
DLP: UK National Health Service Number severity high
DLP: UK National Insurance Number (NINO) severity high
DLP: UK Passport Number severity high
DLP: UK SWIFT Code severity medium
DLP: US Bank Account Number severity medium
DLP: US Driver's License Number severity medium
DLP: US ICD-10-CM Code severity medium
DLP: US ICD-9-CM Code severity medium
DLP: US Individual Taxpayer Identification Number (ITIN) severity high
DLP: US Insurance Claim Number severity medium
DLP: US Passport Number severity high
DLP: US Social Security Number (SSN) severity high
DLP: Vehicle Identification Number (VIN) severity medium
DocuSign impersonation via CloudHQ links severity medium
DocuSign impersonation via spoofed Intuit sender severity high
EML attachment with credential theft language (unknown sender) severity high
Employee impersonation with urgent request (untrusted sender) severity medium
Employee impersonation: Payroll fraud severity high
Extortion / sextortion (untrusted sender) severity low
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender severity high
Fake message thread - Untrusted sender with a mismatched freemail reply-to address severity medium
Fake message thread with a suspicious link and engaging language from an unknown sender severity medium
Fake request for tax preparation severity high
Fake scan-to-email message severity medium
Fake thread with suspicious indicators severity medium
Fake voicemail notification (untrusted sender) severity medium
Fake Zoom meeting invite with suspicious link severity medium
File sharing link with a suspicious subject severity medium
Google Notification alert link from non-Google sender severity medium
Headers: Fake in-reply-to with wildcard sender and missing thread context severity high
Headers: System account impersonation with empty sender address severity medium
Impersonation: Australian Federal Police with criminal case language severity high
Impersonation: Chrome Web Store policy severity low
Impersonation: Employee using fabricated identity in initial contact severity high
Impersonation: Internal corporate services severity high
Impersonation: Legal firm with copyright infringement notice severity medium
Impersonation: SharePoint reply header anomaly severity medium
Investor solicitation with organization targeting severity medium
Link: Apple TestFlight from suspicious sender severity medium
Link: Base64 encoded recipient address in URL fragment with subject hash severity low
Link: BEC with newly registered domains and financial keywords severity medium
Link: Display text matches subject line severity medium
Link: Executable file download with suspicious message content severity high
Link: File sharing pretext with suspicious body and link severity medium
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender severity high
Link: HR impersonation with suspicious domain indicators and credential theft severity high
Link: Job recruitment lure from unsolicited sender with suspicious hosting severity medium
Link: Microsoft impersonation using hosted png with suspicious link severity medium
Link: Multistage landing - Abused Adobe frame.io severity high
Link: Multistage landing - Abused Google Drive severity high
Link: Non-standard port 8443 in display URL severity medium
Link: PDF and financial display text to free file host severity high
Link: Personalized URL with recipient address on commonly abused web service severity medium
Link: Secure SharePoint file share from new or unusual sender severity low
Link: Self-sender with sender org in subject and credential theft indicator severity high
Link: Self-sent PDF lure with subject correlation severity medium
Link: SharePoint filename matches org name severity medium
Link: SharePoint files shared from GoDaddy federated tenants severity low
Link: Shortened URL with fragment matching subject severity medium
Link: Suspicious SharePoint document name severity low
Link: Tax document lure Portuguese/Spanish with suspicious domains severity medium
Link: Uncommon SharePoint document type with sender's display name severity medium
Mass campaign: Cross Site Scripting (XSS) attempt severity medium
Mass campaign: recipient address in subject, body, and link (untrusted sender) severity medium
Mismatched links: Free file share with urgent language severity medium
PayPal invoice abuse severity medium
QR Code with suspicious indicators severity high
Reconnaissance: All recipients cc/bcc'd or undisclosed severity low
Reconnaissance: Email address harvesting attempt severity medium
Reconnaissance: Empty message from uncommon sender severity low
Reconnaissance: Empty subject with mismatched reply-to from new sender severity medium
Reconnaissance: Hotel booking reply-to redirect severity medium
Reconnaissance: Large unknown recipient list severity low
Reconnaissance: Short generic greeting message severity medium
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment severity high
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern severity medium
Salesforce infrastructure abuse severity medium
Scam soliciting employer review/rating severity low
Self-sender with copy/paste instructions and suspicious domains (French/Français) severity medium
Sendgrid voicemail phish severity high
Service abuse: Adobe Sign notification from an unsolicited reply-to address severity medium
Service abuse: Amazon invitation with suspected callback phishing severity medium
Service abuse: AWS SNS callback scam impersonation severity medium
Service Abuse: Box file sharing with credential phishing intent severity medium
Service abuse: Callback phishing via Microsoft Teams invite severity high
Service abuse: Cisco secure email service with financial request severity high
Service abuse: Demio notifications with suspicious content patterns severity medium
Service abuse: DocuSign notification with suspicious sender or document name severity medium
Service abuse: DocuSign share from an unsolicited reply-to address severity medium
Service abuse: Dropbox share from an unsolicited reply-to address severity medium
Service abuse: Dropbox share with suspicious sender or document name severity medium
Service abuse: Facebook business with action required subject severity medium
Service abuse: File sharing impersonation with external SharePoint links severity medium
Service Abuse: GoDaddy infrastructure severity medium
Service abuse: Google classroom solicitation severity medium
Service abuse: Google Firebase sender address with suspicious content severity low
Service Abuse: HelloSign share with suspicious sender or document name severity medium
Service abuse: Microsoft Power Apps callback scam severity medium
Service abuse: Microsoft with suspicious indicators in subject severity medium
Service abuse: Monday.com infrastructure with phishing intent severity high
Service abuse: PayPal manager account creation with callback scam indicators severity medium
Service abuse: QuickBooks notification from new domain severity medium
Service abuse: QuickBooks notification with suspicious comments severity medium
Service abuse: SendGrid impersonation via Sendgrid from new sender severity high
Service abuse: Task management message sent via SendGrid severity medium
Service abuse: Vimeo with external plain-text links in message severity high
Sharepoint file share with suspicious recipients pattern severity medium
Spam: Attendee list solicitation severity low
Spam: BlackBaud infrastructure abuse severity medium
Spam: Commonly observed formatting of unauthorized free giveaways severity low
Spam: Cryptocurrency airdrop/giveaway severity low
Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com) severity low
Spam: Fake photo share severity low
Spam: Ghostwriting services scam with manipulative language severity medium
Spam: Mastercard promotional content with image-based body severity low
Spam: New job cold outreach from unsolicited sender severity low
Spam: New link domain (<=10d) and emojis severity medium
Spam: Personalized subject and greetings via Salesforce Marketing Cloud severity low
Spam: Sexually explicit content with emoji in subject from freemail provider severity low
Spam: Sexually explicit Google Drive share severity low
Spam: Sexually explicit Google group invitation severity low
Spam: Sexually explicit Looker Studio report severity low
Spam: Single recipient duplicated in cc severity medium
Spam: URL shortener with short body content and emojis severity low
Spam: Website errors solicitation severity low
Subject and sender display name contains matching long alphanumeric string severity low
Subject: Suspicious bracketed reference severity high
Suspected cross-site scripting (XSS) found in subject severity medium
Suspected WordPress abuse with cross-site scripting (XSS) indicators severity high
Suspicious attachment with unscannable Cloudflare link severity medium
Suspicious DocuSign share from new domain severity high
Suspicious invoice reference with missing or image-only attachments severity high
Suspicious message with unscannable Cloudflare link severity medium
Suspicious message with unscannable Vercel link severity medium
Suspicious request for financial information severity high
Suspicious SharePoint file sharing severity medium
Suspicious subject with long procedurally generated text blob severity medium
Tax Form: W-8BEN solicitation severity medium
Vendor impersonation: Thread hijacking with typosquat domain severity high
VIP / Executive impersonation in subject (untrusted) severity medium
VIP Impersonation via Google Group relay with suspicious indicators severity high
VIP impersonation with charitable donation fraud severity high
VIP impersonation with w2 request with reply-to mismatch severity high
Xero infrastructure abuse severity medium

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-subject Event ID 7000025

Sublime MQL (378)

Keyboard shortcuts

Search operators