Salesforce infrastructure abuse

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Evasion, Social engineering

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
headers.return_path
recipients
recipients.to (collection)
sender.email
subject
type

Rule body MQL

type.inbound

// we look at the return-path because many times in the abuse
// we've seen, the From is a custom domain
and headers.return_path.domain.root_domain == "salesforce.com"
and length(attachments) == 0
// there are external links (not org or SF domains)
and length(filter(body.links,
                  .href_url.domain.domain not in $org_domains
                  and .href_url.domain.root_domain not in (
                    "salesforce.com",
                    "force.com",
                    "site.com", // salesforce CRM
                    "agentforce.com"
                  )
           )
) > 0
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
    )
    and ml.nlu_classifier(body.current_thread.text).language == "english"
  )
  // subject match when cred_theft doesn't match
  // high confidence observed subject intros in the format of "Urgent Thing: ..."
  or regex.icontains(subject.subject,
                     '^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
  )
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name in ("Facebook", "Meta", "Instagram", "Threads")
         and .confidence in ("medium", "high")
  )
  // any of the links are for newly registered domains
  or any(filter(body.links,
                .href_url.domain.domain not in $org_domains
                and .href_url.domain.root_domain not in (
                  "salesforce.com",
                  "force.com",
                  "site.com", // salesforce CRM
                  "agentforce.com"
                )
         ),
         network.whois(.href_url.domain).days_old < 30
  )
  // all links lead to a url shortener domain
  or (
    length(body.links) > 0
    and all(body.links, .href_url.domain.root_domain in $url_shorteners)
  )
)
and 1 of (
  ( // sender domain matches no body domains
    length(body.links) > 0
    and all(body.links,
            (
              .href_url.domain.root_domain != sender.email.domain.root_domain
              and .href_url.domain.root_domain not in (
                "salesforce.com",
                "force.com",
                "site.com",
                "agentforce.com"
              )
            )
            or .href_url.domain.root_domain is null
    )
  ),
  any(recipients.to,
      .email.domain.valid
      and any(body.links,
              strings.icontains(.href_url.url, ..email.email)
              or any(beta.scan_base64(.href_url.url,
                                      format="url",
                                      ignore_padding=true
                     ),
                     strings.icontains(., ...email.email)
              )
              or any(beta.scan_base64(.href_url.fragment, ignore_padding=true),
                     strings.icontains(., ...email.email)
              )
              // cloudflare turnstile or phishing warning page
              or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                                   "cloudflare"
              )
      )
  ),
  regex.icontains(subject.subject,
                  "termination.*notice",
                  "38417",
                  ":completed",
                  "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                  "[il][il][il]egai[ -]",
                  "[li][li][li]ega[li] attempt",
                  "[ng]-?[io]n .*block",
                  "[ng]-?[io]n .*cancel",
                  "[ng]-?[io]n .*deactiv",
                  "[ng]-?[io]n .*disabl",
                  "action.*required",
                  "abandon.*package",
                  "about.your.account",
                  "acc(ou)?n?t (is )?on ho[li]d",
                  "acc(ou)?n?t.*terminat",
                  "acc(oun)?t.*[il1]{2}mitation",
                  "access.*limitation",
                  "account (will be )?block",
                  "account.*de-?activat",
                  "account.*locked",
                  "account.*restrict",
                  "account.*re-verification",
                  "account.*security",
                  "account.*suspension",
                  "account.has.been",
                  "account.has.expired",
                  "account.will.be.blocked",
                  "account v[il]o[li]at",
                  "activity.*acc(oun)?t",
                  "almost.full",
                  "app[li]e.[il]d",
                  "appeal required",
                  "authenticate.*account",
                  "been.*suspend",
                  "clos.*of.*account.*processed",
                  "confirm.your.account",
                  "copyright (?:restriction|infringment)",
                  "courier.*able",
                  "crediential.*notif",
                  "Critical Alert",
                  "deactivation.*in.*progress",
                  "delivery.*attempt.*failed",
                  "document.received",
                  "documented.*shared.*with.*you",
                  "dropbox.*document",
                  "e-?ma[il1]+ .{010}suspen",
                  "e-?ma[il1]{1} user",
                  "e-?ma[il1]{2} acc",
                  "e-?ma[il1]{2}.*up.?grade",
                  "e.?ma[il1]{2}.*server",
                  "e.?ma[il1]{2}.*suspend",
                  "email.update",
                  "faxed you",
                  "final notice",
                  "fraud(ulent)?.*charge",
                  "from.helpdesk",
                  "fu[il1]{2}.*ma[il1]+[ -]?box",
                  "has.been.*suspended",
                  "has.been.limited",
                  "have.locked",
                  "he[li]p ?desk upgrade",
                  "heipdesk",
                  "i[il]iega[il]",
                  "ii[il]ega[il]",
                  "immediate action",
                  "incoming e?mail",
                  "incoming.*fax",
                  "lock.*security",
                  "ma[il1]{1}[ -]?box.*quo",
                  "ma[il1]{2}[ -]?box.*fu[il1]",
                  "ma[il1]{2}box.*[il1]{2}mit",
                  "ma[il1]{2}box stor",
                  "mail on.?hold",
                  "mail.*box.*migration",
                  "mail.*de-?activat",
                  "mail.update.required",
                  "mails.*pending",
                  "messages.*pending",
                  "missed.*shipping.*notification",
                  "missed.shipment.notification",
                  "must.update.your.account",
                  "new [sl][io]g?[nig][ -]?in from",
                  "new voice ?-?mail",
                  "notifications.*pending",
                  "office.*3.*6.*5.*suspend",
                  "office365",
                  "on google docs with you",
                  "online doc",
                  "password.*compromised",
                  "periodic maintenance",
                  "potential(ly)? unauthorized",
                  "refund not approved",
                  "restrictions applied",
                  "report",
                  "revised.*policy",
                  "scam",
                  "scanned.?invoice",
                  "secured?.update",
                  "security breach",
                  "securlty",
                  "signed.*delivery",
                  "social media",
                  "status of your .{314}? ?delivery",
                  "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                  "suspicious.*sign.*[io]n",
                  "suspicious.activit",
                  "temporar(il)?y deactivate",
                  "temporar[il1]{2}y disab[li]ed",
                  "temporarily.*lock",
                  "time.sensitive",
                  "un-?usua[li].activity",
                  "unable.*deliver",
                  "unauthorized.*activit",
                  "unauthorized.device",
                  "unauthorized.use",
                  "undelivered message",
                  "unread.*doc",
                  "unusual.activity",
                  "upgrade.*account",
                  "upgrade.notice",
                  "urgent message",
                  "urgent.verification",
                  "v[il1]o[li1]at[il1]on security",
                  "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                  "verification ?-?require",
                  "verification( )?-?need",
                  "verify.your?.account",
                  "web ?-?ma[il1]{2}",
                  "web[ -]?ma[il1]{2}",
                  "will.be.suspended",
                  "your (customer )?account .as",
                  "your.office.365",
                  "your.online.access",
                  "Critical.Notice",
                  "Restore.Access",
                  // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
                  "account has been limited",
                  "action required",
                  "almost full",
                  "apd notifi cation",
                  "are you at your desk",
                  "are you available",
                  "attached file to docusign",
                  "banking is temporarily unavailable",
                  "bankofamerica",
                  "closing statement invoice",
                  "completed: docusign",
                  "de-activation of",
                  "delivery attempt",
                  "delivery stopped for shipment",
                  "detected suspicious",
                  "detected suspicious actvity",
                  "docu sign",
                  "document for you",
                  "document has been sent to you via docusign",
                  "document is ready for signature",
                  "docusign",
                  "encrypted message",
                  "failed delivery",
                  "fedex tracking",
                  "file was shared",
                  "freefax",
                  "fwd: due invoice paid",
                  "has shared",
                  "inbox is full",
                  "invitation to comment",
                  "invitation to edit",
                  "invoice due",
                  "left you a message",
                  "message from",
                  "new message",
                  "new voicemail",
                  "on desk",
                  "out of space",
                  "password reset",
                  "payment status",
                  "quick reply",
                  "re: w-2",
                  "required",
                  "required: completed docusign",
                  "remittance",
                  "ringcentral",
                  "scanned image",
                  "secured files",
                  "secured pdf",
                  "security alert",
                  "new sign-in",
                  "new sign in",
                  "sign-in attempt",
                  "sign in attempt",
                  "staff review",
                  "suspicious activity",
                  "unrecognized login attempt",
                  "upgrade immediately",
                  "urgent",
                  "wants to share",
                  "w2",
                  "you have notifications pending",
                  "your account",
                  'your (?:\w+\s+){0,1}\s*account',
                  "your amazon order",
                  "your document settlement",
                  "your order with amazon",
                  "your password has been compromised",
  ),
  any($suspicious_subjects, strings.icontains(subject.subject, .))
)
and (
  // if the From is a custom domain, check that it's an unknown sender
  // otherwise, it should be from salesforce
  (
    sender.email.domain.domain == "salesforce.com"
    and any(headers.hops,
            any(.fields,
                .name == "X-SFDC-EmailCategory"
                and .value in (
                  "apiMassMail",
                  "networksNewUser",
                  "Not Specified"
                )
            )
    )
    // negate "meta" emails from the mentioned org itself
    // for example, subject: "a sandbox has been deleted for org ID, a1b2c3"
    // the org ID will appear in the X-SFDC-LK header
    and not any(headers.hops,
                any(.fields,
                    .name == "X-SFDC-LK"
                    and strings.ends_with(subject.subject, .value)
                )
    )
  )
  or (
    (
      (
        profile.by_sender().prevalence in ("new", "outlier")
        and not profile.by_sender().solicited
      )
      or (
        profile.by_sender().any_messages_malicious_or_spam
        and not profile.by_sender().any_messages_benign
      )
    )

    // negate highly trusted sender domains unless they fail DMARC authentication
    and (
      (
        sender.email.domain.root_domain in $high_trust_sender_root_domains
        and not headers.auth_summary.dmarc.pass
      )
      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
    )
  )
)

Detection logic

Scope: inbound message.

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

inbound message
headers.return_path.domain.root_domain is 'salesforce.com'
length(attachments) is 0
length(filter(body.links, .href_url.domain.domain not in $org_domains and .href_url.domain.root_domain not in ('salesforce.com', 'force.com', 'site.com', 'agentforce.com'))) > 0
any of:
- all of:
  - any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    
    .name is 'cred_theft'
    .confidence is 'high'
  - ml.nlu_classifier(body.current_thread.text).language is 'english'
- subject.subject matches '^(?:(?:Final|Last)?\\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\\s*:\\s*'
- any of ml.logo_detect(file.message_screenshot()).brands where all hold:
  - .name in ('Facebook', 'Meta', 'Instagram', 'Threads')
  - .confidence in ('medium', 'high')
- any of filter(body.links) where:
  - network.whois(.href_url.domain).days_old < 30
- all of:
  - length(body.links) > 0
  - all of body.links where:
    
    .href_url.domain.root_domain in $url_shorteners
at least 1 of:
- all of:
  - length(body.links) > 0
  - all of body.links where any holds:
    
    all of:
    
    .href_url.domain.root_domain is not sender.email.domain.root_domain
    .href_url.domain.root_domain not in ('salesforce.com', 'force.com', 'site.com', 'agentforce.com')
    .href_url.domain.root_domain is missing
- any of recipients.to where all hold:
  - .email.domain.valid
  - any of body.links where any holds:
    
    strings.icontains(.href_url.url)
    any of beta.scan_base64(.href_url.url) where:
    
    strings.icontains(.)
    any of beta.scan_base64(.href_url.fragment) where:
    
    strings.icontains(.)
    ml.link_analysis(., mode='aggressive').final_dom.display_text contains 'cloudflare'
- subject.subject matches any of 203 patterns
  - termination.*notice
  - 38417
  - :completed
  - [il1]{2}mit.*ma[il1]{2} ?bo?x
  - [il][il][il]egai[ -]
  - [li][li][li]ega[li] attempt
  - [ng]-?[io]n .*block
  - [ng]-?[io]n .*cancel
  - [ng]-?[io]n .*deactiv
  - [ng]-?[io]n .*disabl
  - action.*required
  - abandon.*package
  - about.your.account
  - acc(ou)?n?t (is )?on ho[li]d
  - acc(ou)?n?t.*terminat
  - acc(oun)?t.*[il1]{2}mitation
  - access.*limitation
  - account (will be )?block
  - account.*de-?activat
  - account.*locked
  - account.*restrict
  - account.*re-verification
  - account.*security
  - account.*suspension
  - account.has.been
  - account.has.expired
  - account.will.be.blocked
  - account v[il]o[li]at
  - activity.*acc(oun)?t
  - almost.full
  - app[li]e.[il]d
  - appeal required
  - authenticate.*account
  - been.*suspend
  - clos.*of.*account.*processed
  - confirm.your.account
  - copyright (?:restriction|infringment)
  - courier.*able
  - crediential.*notif
  - Critical Alert
  - deactivation.*in.*progress
  - delivery.*attempt.*failed
  - document.received
  - documented.*shared.*with.*you
  - dropbox.*document
  - e-?ma[il1]+ .{010}suspen
  - e-?ma[il1]{1} user
  - e-?ma[il1]{2} acc
  - e-?ma[il1]{2}.*up.?grade
  - e.?ma[il1]{2}.*server
  - e.?ma[il1]{2}.*suspend
  - email.update
  - faxed you
  - final notice
  - fraud(ulent)?.*charge
  - from.helpdesk
  - fu[il1]{2}.*ma[il1]+[ -]?box
  - has.been.*suspended
  - has.been.limited
  - have.locked
  - he[li]p ?desk upgrade
  - heipdesk
  - i[il]iega[il]
  - ii[il]ega[il]
  - immediate action
  - incoming e?mail
  - incoming.*fax
  - lock.*security
  - ma[il1]{1}[ -]?box.*quo
  - ma[il1]{2}[ -]?box.*fu[il1]
  - ma[il1]{2}box.*[il1]{2}mit
  - ma[il1]{2}box stor
  - mail on.?hold
  - mail.*box.*migration
  - mail.*de-?activat
  - mail.update.required
  - mails.*pending
  - messages.*pending
  - missed.*shipping.*notification
  - missed.shipment.notification
  - must.update.your.account
  - new [sl][io]g?[nig][ -]?in from
  - new voice ?-?mail
  - notifications.*pending
  - office.*3.*6.*5.*suspend
  - office365
  - on google docs with you
  - online doc
  - password.*compromised
  - periodic maintenance
  - potential(ly)? unauthorized
  - refund not approved
  - restrictions applied
  - report
  - revised.*policy
  - scam
  - scanned.?invoice
  - secured?.update
  - security breach
  - securlty
  - signed.*delivery
  - social media
  - status of your .{314}? ?delivery
  - susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
  - suspicious.*sign.*[io]n
  - suspicious.activit
  - temporar(il)?y deactivate
  - temporar[il1]{2}y disab[li]ed
  - temporarily.*lock
  - time.sensitive
  - un-?usua[li].activity
  - unable.*deliver
  - unauthorized.*activit
  - unauthorized.device
  - unauthorized.use
  - undelivered message
  - unread.*doc
  - unusual.activity
  - upgrade.*account
  - upgrade.notice
  - urgent message
  - urgent.verification
  - v[il1]o[li1]at[il1]on security
  - va[il1]{1}date.*ma[il1]{2}[ -]?box
  - verification ?-?require
  - verification( )?-?need
  - verify.your?.account
  - web ?-?ma[il1]{2}
  - web[ -]?ma[il1]{2}
  - will.be.suspended
  - your (customer )?account .as
  - your.office.365
  - your.online.access
  - Critical.Notice
  - Restore.Access
  - account has been limited
  - action required
  - almost full
  - apd notifi cation
  - are you at your desk
  - are you available
  - attached file to docusign
  - banking is temporarily unavailable
  - bankofamerica
  - closing statement invoice
  - completed: docusign
  - de-activation of
  - delivery attempt
  - delivery stopped for shipment
  - detected suspicious
  - detected suspicious actvity
  - docu sign
  - document for you
  - document has been sent to you via docusign
  - document is ready for signature
  - docusign
  - encrypted message
  - failed delivery
  - fedex tracking
  - file was shared
  - freefax
  - fwd: due invoice paid
  - has shared
  - inbox is full
  - invitation to comment
  - invitation to edit
  - invoice due
  - left you a message
  - message from
  - new message
  - new voicemail
  - on desk
  - out of space
  - password reset
  - payment status
  - quick reply
  - re: w-2
  - required
  - required: completed docusign
  - remittance
  - ringcentral
  - scanned image
  - secured files
  - secured pdf
  - security alert
  - new sign-in
  - new sign in
  - sign-in attempt
  - sign in attempt
  - staff review
  - suspicious activity
  - unrecognized login attempt
  - upgrade immediately
  - urgent
  - wants to share
  - w2
  - you have notifications pending
  - your account
  - your (?:\w+\s+){0,1}\s*account
  - your amazon order
  - your document settlement
  - your order with amazon
  - your password has been compromised
- any of $suspicious_subjects where:
  - strings.icontains(subject.subject)
any of:
- all of:
  - sender.email.domain.domain is 'salesforce.com'
  - any of headers.hops where:
    
    any of .fields where all hold:
    
    .name is 'X-SFDC-EmailCategory'
    .value in ('apiMassMail', 'networksNewUser', 'Not Specified')
  - not:
    
    any of headers.hops where:
    
    any of .fields where all hold:
    
    .name is 'X-SFDC-LK'
    strings.ends_with(subject.subject)
- all of:
  - any of:
    
    all of:
    
    profile.by_sender().prevalence in ('new', 'outlier')
    not:
    
    profile.by_sender().solicited
    all of:
    
    profile.by_sender().any_messages_malicious_or_spam
    not:
    
    profile.by_sender().any_messages_benign
  - any of:
    
    all of:
    
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    not:
    
    headers.auth_summary.dmarc.pass
    sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.fragment, body.links[].href_url.url, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, headers.return_path.domain.root_domain, recipients.to, recipients.to[].email.domain.valid, recipients.to[].email.email, sender.email.domain.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.scan_base64, file.message_screenshot, ml.link_analysis, ml.logo_detect, ml.nlu_classifier, network.whois, profile.by_sender, regex.icontains, strings.ends_with, strings.icontains. Reference lists: $high_trust_sender_root_domains, $org_domains, $suspicious_subjects, $url_shorteners.

Indicators matched (224)

Field	Match	Value
`headers.return_path.domain.root_domain`	equals	`salesforce.com`
`body.links[].href_url.domain.root_domain`	member	`salesforce.com`
`body.links[].href_url.domain.root_domain`	member	`force.com`
`body.links[].href_url.domain.root_domain`	member	`site.com`
`body.links[].href_url.domain.root_domain`	member	`agentforce.com`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	equals	`cred_theft`
`ml.nlu_classifier(body.current_thread.text).intents[].confidence`	equals	`high`
`regex.icontains`	regex	`^(?:(?:Final\|Last)?\sWarning\|(?:Final\|Last\|Legal\|Critical\|Content Violation)?\s(?:Alert\|Noti(?:ce\|fication))\|Appeal Required\|Time.Sensitive\|Critical.Alert\|Important\|Copyright Issue)\s:\s`
`ml.logo_detect(file.message_screenshot()).brands[].name`	member	`Facebook`
`ml.logo_detect(file.message_screenshot()).brands[].name`	member	`Meta`
`ml.logo_detect(file.message_screenshot()).brands[].name`	member	`Instagram`
`ml.logo_detect(file.message_screenshot()).brands[].name`	member	`Threads`

212 more

`ml.logo_detect(file.message_screenshot()).brands[].confidence`	member	`medium`
`ml.logo_detect(file.message_screenshot()).brands[].confidence`	member	`high`
`strings.icontains`	substring	`cloudflare`
`regex.icontains`	regex	`termination.*notice`
`regex.icontains`	regex	`38417`
`regex.icontains`	regex	`:completed`
`regex.icontains`	regex	`[il1]{2}mit.*ma[il1]{2} ?bo?x`
`regex.icontains`	regex	`[il][il][il]egai[ -]`
`regex.icontains`	regex	`[li][li][li]ega[li] attempt`
`regex.icontains`	regex	`[ng]-?[io]n .*block`
`regex.icontains`	regex	`[ng]-?[io]n .*cancel`
`regex.icontains`	regex	`[ng]-?[io]n .*deactiv`
`regex.icontains`	regex	`[ng]-?[io]n .*disabl`
`regex.icontains`	regex	`action.*required`
`regex.icontains`	regex	`abandon.*package`
`regex.icontains`	regex	`about.your.account`
`regex.icontains`	regex	`acc(ou)?n?t (is )?on ho[li]d`
`regex.icontains`	regex	`acc(ou)?n?t.*terminat`
`regex.icontains`	regex	`acc(oun)?t.*[il1]{2}mitation`
`regex.icontains`	regex	`access.*limitation`
`regex.icontains`	regex	`account (will be )?block`
`regex.icontains`	regex	`account.*de-?activat`
`regex.icontains`	regex	`account.*locked`
`regex.icontains`	regex	`account.*restrict`
`regex.icontains`	regex	`account.*re-verification`
`regex.icontains`	regex	`account.*security`
`regex.icontains`	regex	`account.*suspension`
`regex.icontains`	regex	`account.has.been`
`regex.icontains`	regex	`account.has.expired`
`regex.icontains`	regex	`account.will.be.blocked`
`regex.icontains`	regex	`account v[il]o[li]at`
`regex.icontains`	regex	`activity.*acc(oun)?t`
`regex.icontains`	regex	`almost.full`
`regex.icontains`	regex	`app[li]e.[il]d`
`regex.icontains`	regex	`appeal required`
`regex.icontains`	regex	`authenticate.*account`
`regex.icontains`	regex	`been.*suspend`
`regex.icontains`	regex	`clos.of.account.*processed`
`regex.icontains`	regex	`confirm.your.account`
`regex.icontains`	regex	`copyright (?:restriction\|infringment)`
`regex.icontains`	regex	`courier.*able`
`regex.icontains`	regex	`crediential.*notif`
`regex.icontains`	regex	`Critical Alert`
`regex.icontains`	regex	`deactivation.in.progress`
`regex.icontains`	regex	`delivery.attempt.failed`
`regex.icontains`	regex	`document.received`
`regex.icontains`	regex	`documented.shared.with.*you`
`regex.icontains`	regex	`dropbox.*document`
`regex.icontains`	regex	`e-?ma[il1]+ .{010}suspen`
`regex.icontains`	regex	`e-?ma[il1]{1} user`
`regex.icontains`	regex	`e-?ma[il1]{2} acc`
`regex.icontains`	regex	`e-?ma[il1]{2}.*up.?grade`
`regex.icontains`	regex	`e.?ma[il1]{2}.*server`
`regex.icontains`	regex	`e.?ma[il1]{2}.*suspend`
`regex.icontains`	regex	`email.update`
`regex.icontains`	regex	`faxed you`
`regex.icontains`	regex	`final notice`
`regex.icontains`	regex	`fraud(ulent)?.*charge`
`regex.icontains`	regex	`from.helpdesk`
`regex.icontains`	regex	`fu[il1]{2}.*ma[il1]+[ -]?box`
`regex.icontains`	regex	`has.been.*suspended`
`regex.icontains`	regex	`has.been.limited`
`regex.icontains`	regex	`have.locked`
`regex.icontains`	regex	`he[li]p ?desk upgrade`
`regex.icontains`	regex	`heipdesk`
`regex.icontains`	regex	`i[il]iega[il]`
`regex.icontains`	regex	`ii[il]ega[il]`
`regex.icontains`	regex	`immediate action`
`regex.icontains`	regex	`incoming e?mail`
`regex.icontains`	regex	`incoming.*fax`
`regex.icontains`	regex	`lock.*security`
`regex.icontains`	regex	`ma[il1]{1}[ -]?box.*quo`
`regex.icontains`	regex	`ma[il1]{2}[ -]?box.*fu[il1]`
`regex.icontains`	regex	`ma[il1]{2}box.*[il1]{2}mit`
`regex.icontains`	regex	`ma[il1]{2}box stor`
`regex.icontains`	regex	`mail on.?hold`
`regex.icontains`	regex	`mail.box.migration`
`regex.icontains`	regex	`mail.*de-?activat`
`regex.icontains`	regex	`mail.update.required`
`regex.icontains`	regex	`mails.*pending`
`regex.icontains`	regex	`messages.*pending`
`regex.icontains`	regex	`missed.shipping.notification`
`regex.icontains`	regex	`missed.shipment.notification`
`regex.icontains`	regex	`must.update.your.account`
`regex.icontains`	regex	`new [sl][io]g?[nig][ -]?in from`
`regex.icontains`	regex	`new voice ?-?mail`
`regex.icontains`	regex	`notifications.*pending`
`regex.icontains`	regex	`office.3.6.5.suspend`
`regex.icontains`	regex	`office365`
`regex.icontains`	regex	`on google docs with you`
`regex.icontains`	regex	`online doc`
`regex.icontains`	regex	`password.*compromised`
`regex.icontains`	regex	`periodic maintenance`
`regex.icontains`	regex	`potential(ly)? unauthorized`
`regex.icontains`	regex	`refund not approved`
`regex.icontains`	regex	`restrictions applied`
`regex.icontains`	regex	`report`
`regex.icontains`	regex	`revised.*policy`
`regex.icontains`	regex	`scam`
`regex.icontains`	regex	`scanned.?invoice`
`regex.icontains`	regex	`secured?.update`
`regex.icontains`	regex	`security breach`
`regex.icontains`	regex	`securlty`
`regex.icontains`	regex	`signed.*delivery`
`regex.icontains`	regex	`social media`
`regex.icontains`	regex	`status of your .{314}? ?delivery`
`regex.icontains`	regex	`susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty`
`regex.icontains`	regex	`suspicious.sign.[io]n`
`regex.icontains`	regex	`suspicious.activit`
`regex.icontains`	regex	`temporar(il)?y deactivate`
`regex.icontains`	regex	`temporar[il1]{2}y disab[li]ed`
`regex.icontains`	regex	`temporarily.*lock`
`regex.icontains`	regex	`time.sensitive`
`regex.icontains`	regex	`un-?usua[li].activity`
`regex.icontains`	regex	`unable.*deliver`
`regex.icontains`	regex	`unauthorized.*activit`
`regex.icontains`	regex	`unauthorized.device`
`regex.icontains`	regex	`unauthorized.use`
`regex.icontains`	regex	`undelivered message`
`regex.icontains`	regex	`unread.*doc`
`regex.icontains`	regex	`unusual.activity`
`regex.icontains`	regex	`upgrade.*account`
`regex.icontains`	regex	`upgrade.notice`
`regex.icontains`	regex	`urgent message`
`regex.icontains`	regex	`urgent.verification`
`regex.icontains`	regex	`v[il1]o[li1]at[il1]on security`
`regex.icontains`	regex	`va[il1]{1}date.*ma[il1]{2}[ -]?box`
`regex.icontains`	regex	`verification ?-?require`
`regex.icontains`	regex	`verification( )?-?need`
`regex.icontains`	regex	`verify.your?.account`
`regex.icontains`	regex	`web ?-?ma[il1]{2}`
`regex.icontains`	regex	`web[ -]?ma[il1]{2}`
`regex.icontains`	regex	`will.be.suspended`
`regex.icontains`	regex	`your (customer )?account .as`
`regex.icontains`	regex	`your.office.365`
`regex.icontains`	regex	`your.online.access`
`regex.icontains`	regex	`Critical.Notice`
`regex.icontains`	regex	`Restore.Access`
`regex.icontains`	regex	`account has been limited`
`regex.icontains`	regex	`action required`
`regex.icontains`	regex	`almost full`
`regex.icontains`	regex	`apd notifi cation`
`regex.icontains`	regex	`are you at your desk`
`regex.icontains`	regex	`are you available`
`regex.icontains`	regex	`attached file to docusign`
`regex.icontains`	regex	`banking is temporarily unavailable`
`regex.icontains`	regex	`bankofamerica`
`regex.icontains`	regex	`closing statement invoice`
`regex.icontains`	regex	`completed: docusign`
`regex.icontains`	regex	`de-activation of`
`regex.icontains`	regex	`delivery attempt`
`regex.icontains`	regex	`delivery stopped for shipment`
`regex.icontains`	regex	`detected suspicious`
`regex.icontains`	regex	`detected suspicious actvity`
`regex.icontains`	regex	`docu sign`
`regex.icontains`	regex	`document for you`
`regex.icontains`	regex	`document has been sent to you via docusign`
`regex.icontains`	regex	`document is ready for signature`
`regex.icontains`	regex	`docusign`
`regex.icontains`	regex	`encrypted message`
`regex.icontains`	regex	`failed delivery`
`regex.icontains`	regex	`fedex tracking`
`regex.icontains`	regex	`file was shared`
`regex.icontains`	regex	`freefax`
`regex.icontains`	regex	`fwd: due invoice paid`
`regex.icontains`	regex	`has shared`
`regex.icontains`	regex	`inbox is full`
`regex.icontains`	regex	`invitation to comment`
`regex.icontains`	regex	`invitation to edit`
`regex.icontains`	regex	`invoice due`
`regex.icontains`	regex	`left you a message`
`regex.icontains`	regex	`message from`
`regex.icontains`	regex	`new message`
`regex.icontains`	regex	`new voicemail`
`regex.icontains`	regex	`on desk`
`regex.icontains`	regex	`out of space`
`regex.icontains`	regex	`password reset`
`regex.icontains`	regex	`payment status`
`regex.icontains`	regex	`quick reply`
`regex.icontains`	regex	`re: w-2`
`regex.icontains`	regex	`required`
`regex.icontains`	regex	`required: completed docusign`
`regex.icontains`	regex	`remittance`
`regex.icontains`	regex	`ringcentral`
`regex.icontains`	regex	`scanned image`
`regex.icontains`	regex	`secured files`
`regex.icontains`	regex	`secured pdf`
`regex.icontains`	regex	`security alert`
`regex.icontains`	regex	`new sign-in`
`regex.icontains`	regex	`new sign in`
`regex.icontains`	regex	`sign-in attempt`
`regex.icontains`	regex	`sign in attempt`
`regex.icontains`	regex	`staff review`
`regex.icontains`	regex	`suspicious activity`
`regex.icontains`	regex	`unrecognized login attempt`
`regex.icontains`	regex	`upgrade immediately`
`regex.icontains`	regex	`urgent`
`regex.icontains`	regex	`wants to share`
`regex.icontains`	regex	`w2`
`regex.icontains`	regex	`you have notifications pending`
`regex.icontains`	regex	`your account`
`regex.icontains`	regex	`your (?:\w+\s+){0,1}\s*account`
`regex.icontains`	regex	`your amazon order`
`regex.icontains`	regex	`your document settlement`
`regex.icontains`	regex	`your order with amazon`
`regex.icontains`	regex	`your password has been compromised`
`sender.email.domain.domain`	equals	`salesforce.com`
`headers.hops[].fields[].name`	equals	`X-SFDC-EmailCategory`
`headers.hops[].fields[].value`	member	`apiMassMail`
`headers.hops[].fields[].value`	member	`networksNewUser`
`headers.hops[].fields[].value`	member	`Not Specified`
`headers.hops[].fields[].name`	equals	`X-SFDC-LK`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)