Sublime-Message-body

7 attribute groups in the body section of the Sublime Message Data Model. Each is addressed by its dotted attribute path, not a numbered event.

Attribute group	Description
`body`	Message Data Model attribute: body
`body.current_thread`	Message Data Model attribute: body.current_thread
`body.html`	Message Data Model attribute: body.html
`body.ips (collection)`	Message Data Model attribute: body.ips
`body.links (collection)`	Message Data Model attribute: body.links
`body.plain`	Message Data Model attribute: body.plain
`body.previous_threads (collection)`	Message Data Model attribute: body.previous_threads

`body`

Section: Sublime-Message-body

Description

Message Data Model attribute: body

Fields #

Name	Description
`html`
`ips`	IP Addresses located in the body
`links`	All links found in the body of the message, unique by the target and display text/url.
`previous_threads`	The previous texts threads of the message'

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Amazon invitation with suspected callback phishing source medium: Detects Amazon's no-reply address with a subject about invitation sending, containing phone numbers within HTML header elements. This pattern is commonly used to trick recipients into calling fraudulent customer service numbers.
Service Abuse: Box file sharing with credential phishing intent source medium: Detects abuse of Box's legitimate infrastructure for credential phishing attacks.↳ also matches body.current_thread, body.links (collection)
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure source high: Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.↳ also matches body.links (collection)

Show 17 more (498 total)

Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches body.current_thread, body.html, body.links (collection), body.plain
Service abuse: FlipHTML5 with attachment deception and credential theft language source medium: Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns.↳ also matches body.current_thread, body.links (collection)
Service abuse: Formester with suspicious link behavior source medium: Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.↳ also matches body.current_thread, body.links (collection)
Service abuse: Google account notification with links to free file host source high: Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services↳ also matches body.links (collection)
Google services using g.co shortlinks source medium: Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.↳ also matches body.current_thread, body.links (collection)
Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches body.current_thread, body.html
Service abuse: Meetup.com redirect with brand impersonation source medium: Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders.↳ also matches body.links (collection)
Service abuse: QuickBooks notification with suspicious comments source medium: This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification↳ also matches body.html
Abuse: Robinhood injected content source medium: Detects messages from Robinhood with injected HTML into one of the list fields, often the 'Device' field.
Service abuse: Substack credential theft with confusable characters and branded button redirects source medium: Detects messages from Substack that use confusable characters in the sender display name, contain purple buttons or typical button classes that redirect to non-Substack domains, and include credential theft content with urgency indicators.↳ also matches body.current_thread
Service abuse: Wix redirect through bulk mailer domains source low: Detects messages containing Wix-encoded links that redirect through bulk mailing service domains, potentially bypassing security controls through legitimate redirect services.↳ also matches body.links (collection)
Service abuse: Suspicious Zoom Docs link source low: Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.↳ also matches body.links (collection)
Service abuse: AppSheet infrastructure with suspicious indicators source medium: Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.↳ also matches body.current_thread, body.links (collection)
Newly registered sender or reply-to domain with newly registered linked domain source medium: This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.↳ also matches body.links (collection)
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches body.current_thread, body.html, body.links (collection)
Attachment: Callback phishing solicitation via text-based file source medium: Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.↳ also matches body.current_thread, body.links (collection)
Credential phishing: Image as content, short or no body contents source medium: This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions. ↳ also matches body.current_thread

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`body.current_thread`

Section: Sublime-Message-body

Description

Message Data Model attribute: body.current_thread

Fields #

Name	Description
`banners`	All warning banners found in the body of the message.
`banners[].text`	The text content from the warning banner.
`links`	All links found in the given thread, unique by the target and display text/url.
`links[].display_text`	The text of a hyperlink, if it's not a URL
`links[].display_url.domain.root_domain`	The root domain, including the TLD
`links[].display_url.domain.sld`	Second-level domain, e.g. 'windows' for the domain 'windows.net'
`links[].display_url.domain.subdomain`	Subdomain, e.g. 'drive' for the domain 'drive.google.com'
`links[].display_url.path`	Everything after the TLD and before the query parameters
`links[].display_url.url`	Full URL
`links[].href_url.domain`
`links[].href_url.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`links[].href_url.domain.root_domain`	The root domain, including the TLD
`links[].href_url.domain.sld`	Second-level domain, e.g. 'windows' for the domain 'windows.net'
`links[].href_url.domain.subdomain`	Subdomain, e.g. 'drive' for the domain 'drive.google.com'
`links[].href_url.domain.tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'
`links[].href_url.domain.valid`	Whether the domain is valid
`links[].href_url.fragment`	Fragment identifier; the text following the # in the URL (also called the anchor tag)
`links[].href_url.path`	Everything after the TLD and before the query parameters
`links[].href_url.query_params`	The full query parameters of the URL
`links[].href_url.query_params_decoded`	The decoded query parameters of the URL
`links[].href_url.query_params_decoded['domain'][]`
`links[].href_url.rewrite.encoders`	List of detected URL rewrite encoders while unraveling the URL
`links[].href_url.rewrite.original`	Original URL without any unraveling URL rewrites
`links[].href_url.scheme`	Protocol for the URL request, e.g. http
`links[].href_url.url`	Full URL
`links[].parser`	The parser that was used to derived the link
`links[].visible`	Whether the link is visible to a human when previewing an email or page
`text`	The text content from the latest reply/forward in a message thread. This typically excludes content from forwarded messages and warning banners.

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Behance document sharing with suspicious language source medium: Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.
Service Abuse: Box file sharing with credential phishing intent source medium: Detects abuse of Box's legitimate infrastructure for credential phishing attacks.↳ also matches body, body.links (collection)
Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches body, body.html, body.links (collection), body.plain

Show 17 more (555 total)

Service abuse: FlipHTML5 with attachment deception and credential theft language source medium: Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns.↳ also matches body, body.links (collection)
Service abuse: Formester with suspicious link behavior source medium: Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.↳ also matches body, body.links (collection)
Service abuse: Google classroom solicitation source medium: Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders.↳ also matches body.html
Google services using g.co shortlinks source medium: Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.↳ also matches body, body.links (collection)
Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches body, body.html
Service abuse: Substack credential theft with confusable characters and branded button redirects source medium: Detects messages from Substack that use confusable characters in the sender display name, contain purple buttons or typical button classes that redirect to non-Substack domains, and include credential theft content with urgency indicators.↳ also matches body
Service abuse: Task management message sent via SendGrid source medium: Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.
Service abuse: Vimeo with external plain-text links in message source high: Detects messages absuing Vimeo notifications about received messages that contain plain-text links redirecting to domains other than Vimeo, potentially leading users to malicious websites.
Service abuse: Payoneer callback scam source medium: A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.↳ also matches body.html
Service abuse: AppSheet infrastructure with suspicious indicators source medium: Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.↳ also matches body, body.links (collection)
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches body, body.html, body.links (collection)
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Attachment: Callback phishing solicitation via text-based file source medium: Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.↳ also matches body, body.links (collection)
Attachment: Callback phishing solicitation via pdf file source high: A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches body.html, body.plain
Credential phishing: Image as content, short or no body contents source medium: This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions. ↳ also matches body
Attachment: Fake secure message and suspicious indicators source medium: Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.↳ also matches body, body.links (collection)
Attachment: Credit card application with WhatsApp contact source medium: Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`body.html`

Section: Sublime-Message-body

Description

Message Data Model attribute: body.html

Fields #

Name	Description
`display_text`	Visible text of the HTML document, with invisible characters removed and non-ASCII characters converted to ASCII spaces.
`inner_text`	Inner text of the HTML document that doesn't include HTML tags.
`raw`	Decoded raw content of a body text type (text/[subtype] section)

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches body, body.current_thread, body.links (collection), body.plain
Service abuse: Google classroom solicitation source medium: Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders.↳ also matches body.current_thread
Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches body, body.current_thread

Show 17 more (109 total)

Service abuse: HelloSign from an unsolicited sender address source low: Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.
Brand impersonation: QuickBooks notification from Intuit themed company name source medium: This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.
Service abuse: QuickBooks notification with suspicious comments source medium: This detection rule matches QuickBooks notifications that contain suspicious keywords within the comments section of the notification↳ also matches body
Service abuse: Payoneer callback scam source medium: A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.↳ also matches body.current_thread
Anthropic Magic String in HTML source low: Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content.↳ also matches body.plain
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches body, body.current_thread, body.links (collection)
Attachment: Callback phishing solicitation via pdf file source high: A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches body.current_thread, body.plain
Attachment: EML with link to credential phishing page source high: Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects. ↳ also matches body.current_thread
EML attachment with credential theft language (unknown sender) source high: Identifies EML attachments that use credential theft language from unknown senders.
Attachment: EML file contains HTML attachment with login portal indicators source high: Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.
Attachment: EML with suspicious indicators source medium: Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.↳ also matches body.current_thread
Attachment: EML file with HTML attachment (unsolicited) source medium: Detects HTML files in EML attachments from unsolicited senders. Reduces attack surface against HTML smuggling.
Attachment: Fake attachment image lure source medium: Message (or attached message) contains an image impersonating an Outlook attachment button.
Impersonation: Fake Gmail attachment source high: Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.↳ also matches body, body.current_thread, body.links (collection), body.plain
Brand impersonation: Microsoft (QR code) source high: Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. ↳ also matches body.current_thread
BEC/Fraud: Student loan callback phishing source medium: This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.↳ also matches body.current_thread
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD source medium: Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents. ↳ also matches body, body.current_thread, body.links (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`body.ips (collection)`

Section: Sublime-Message-body

Description

Message Data Model attribute: body.ips

Fields #

Name	Description
`ip`	The IP in canonical form

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Credential phishing: Engaging language and other indicators (untrusted sender) source medium: Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender. ↳ also matches body, body.current_thread, body.links (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`body.links (collection)`

Section: Sublime-Message-body

Description

Message Data Model attribute: body.links

Fields #

Name	Description
`display_text`	The text of a hyperlink, if it's not a URL
`display_url.domain`
`display_url.domain.root_domain`	The root domain, including the TLD
`display_url.domain.tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'
`display_url.path`	Everything after the TLD and before the query parameters
`display_url.scheme`	Protocol for the URL request, e.g. http
`display_url.url`	Full URL
`href_url.domain`
`href_url.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`href_url.domain.punycode`	Interpreted punycode if the domain starts with xn--. For example, if 'domain' is 'xn--ublimesecurity-4xc.com' then 'punycode' is śublimesecurity.com
`href_url.domain.root_domain`	The root domain, including the TLD
`href_url.domain.sld`	Second-level domain, e.g. 'windows' for the domain 'windows.net'
`href_url.domain.subdomain`	Subdomain, e.g. 'drive' for the domain 'drive.google.com'
`href_url.domain.tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'
`href_url.domain.valid`	Whether the domain is valid
`href_url.fragment`	Fragment identifier; the text following the # in the URL (also called the anchor tag)
`href_url.ip.translation.v4_to_v6`	Whether 'Original' is IPv4-mapped-IPv6
`href_url.password`	The password specified before the domain name
`href_url.path`	Everything after the TLD and before the query parameters
`href_url.query_params`	The full query parameters of the URL
`href_url.query_params_decoded`	The decoded query parameters of the URL
`href_url.query_params_decoded['domain']`
`href_url.query_params_decoded['domain'][]`
`href_url.query_params_decoded['email']`
`href_url.query_params_decoded['eta'][]`
`href_url.query_params_decoded['key']`
`href_url.query_params_decoded['login']`
`href_url.query_params_decoded['mode']`
`href_url.query_params_decoded['pwd']`
`href_url.query_params_decoded['redirect']`
`href_url.query_params_decoded['tracking_number']`
`href_url.query_params_decoded['upn']`
`href_url.query_params_decoded['url']`
`href_url.query_params_decoded[]`	The decoded query parameters of the URL
`href_url.query_params_decoded[][]`	The decoded query parameters of the URL
`href_url.rewrite.encoders`	List of detected URL rewrite encoders while unraveling the URL
`href_url.rewrite.original`	Original URL without any unraveling URL rewrites
`href_url.scheme`	Protocol for the URL request, e.g. http
`href_url.url`	Full URL
`href_url.username`	The username specified before the domain name of the URL
`mismatched`	Whether the display URL and href URL root domains are mismatched (i.e. .href_url.domain.root_domain != .display_url.domain.root_domain, where both are not null and valid domains)
`parser`	The parser that was used to derived the link
`visible`	Whether the link is visible to a human when previewing an email or page

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service Abuse: Box file sharing with credential phishing intent source medium: Detects abuse of Box's legitimate infrastructure for credential phishing attacks.↳ also matches body, body.current_thread
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure source high: Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.↳ also matches body
Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches body, body.current_thread, body.html, body.plain

Show 17 more (420 total)

Service abuse: FlipHTML5 with attachment deception and credential theft language source medium: Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns.↳ also matches body, body.current_thread
Service abuse: Formester with suspicious link behavior source medium: Detects abuse of the Formester form service where links either redirect to credential phishing pages, contain suspicious top-level domains in the final DOM and/or redirect history, or display 'secure message' text indicating potential credential theft.↳ also matches body, body.current_thread
Service abuse: Google account notification with links to free file host source high: Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services↳ also matches body
Google services using g.co shortlinks source medium: Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.↳ also matches body, body.current_thread
Service abuse: Meetup.com redirect with brand impersonation source medium: Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders.↳ also matches body
Service abuse: Wix redirect through bulk mailer domains source low: Detects messages containing Wix-encoded links that redirect through bulk mailing service domains, potentially bypassing security controls through legitimate redirect services.↳ also matches body
Service abuse: Suspicious Zoom Docs link source low: Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.↳ also matches body
Service abuse: AppSheet infrastructure with suspicious indicators source medium: Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.↳ also matches body, body.current_thread
Newly registered sender or reply-to domain with newly registered linked domain source medium: This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.↳ also matches body
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches body, body.current_thread, body.html
Attachment: Callback phishing solicitation via text-based file source medium: Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.↳ also matches body, body.current_thread
Attachment: Fake secure message and suspicious indicators source medium: Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.↳ also matches body, body.current_thread
Brand impersonation: DocuSign branded attachment lure with no DocuSign links source high: Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.↳ also matches body, body.current_thread
Attachment: Dropbox image lure with no Dropbox domains in links source medium: Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.↳ also matches body
Extortion / sextortion in attachment from untrusted sender source low: Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.↳ also matches body, body.current_thread
Impersonation: Fake Gmail attachment source high: Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.↳ also matches body, body.current_thread, body.html, body.plain
Free subdomain link with credential theft indicators source high: Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page. ↳ also matches body

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`body.plain`

Section: Sublime-Message-body

Description

Message Data Model attribute: body.plain

Fields #

Name	Description
`raw`	Decoded raw content of a body text type (text/[subtype] section)

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches body, body.current_thread, body.html, body.links (collection)
Anthropic Magic String in HTML source low: Detects messages containing the specific test string 'ANTHROPIC_MAGIC_STRING' in the plain text body content.↳ also matches body.html
Attachment: Callback phishing solicitation via pdf file source high: A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches body.current_thread, body.html

Show 17 more (30 total)

Impersonation: Fake Gmail attachment source high: Message detects fake Gmail attachments by inspecting the body of a message for elements found within Gmail's user interface for attachment. In expected use, these elements only appears within the gmail WebUI and not within the body of message. The presence of this within message indicates a fake attachment.↳ also matches body, body.current_thread, body.html, body.links (collection)
Attachment: Legal themed message or PDF with suspicious indicators source medium: Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains.↳ also matches body.current_thread
HTML smuggling with atob in message body source high: Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing. ↳ also matches body.html
URL with Unicode U+2044 (⁄) or U+2215 (∕) characters source low: Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL. ↳ also matches body, body.links (collection)
Suspicious invoice reference with missing or image-only attachments source high: This rule flags emails that reference invoices or payments but have suspicious characteristics: attachments are either missing or only images. It also checks for misleading links disguised as attachments and the presence of invoice-related keywords. The rule looks for potential credential theft or unusual requests, making it a strong indicator of phishing attempts.↳ also matches body, body.current_thread, body.html, body.links (collection)
Fake thread with suspicious indicators source medium: Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.↳ also matches body, body.current_thread, body.html, body.links (collection), body.previous_threads (collection)
Fake message thread - Untrusted sender with a mismatched freemail reply-to address source medium: Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address. ↳ also matches body.current_thread, body.html
Brand impersonation: Google Drive fake file share source medium: This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains. ↳ also matches body, body.current_thread, body.html, body.links (collection), body.previous_threads (collection)
Brand impersonation: Sharepoint source high: Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language. ↳ also matches body, body.current_thread, body.html, body.links (collection)
Brand impersonation: Sharepoint fake file share source medium: This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains. ↳ also matches body, body.current_thread, body.html, body.links (collection)
Impersonation: SharePoint reply header anomaly source medium: Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns↳ also matches body.current_thread, body.html
Impersonation: Suspected supplier impersonation with suspicious content source high: This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.↳ also matches body, body.current_thread, body.links (collection)
Brand impersonation: Wells Fargo source high: Impersonation of Wells Fargo Bank. ↳ also matches body.html
Link to Google Apps Script macro via comment tagging source medium: Message contains a Google Apps Script macro link invoked from a comment on Google Slides|Docs. App Scripts can run arbitrary code, including redirecting the user to a malicious web page. ↳ also matches body, body.links (collection)
Brand impersonation: Microsoft with low reputation links source medium: Detects low reputation links with Microsoft specific indicators in the body.↳ also matches body, body.current_thread, body.html, body.links (collection)
Link: Remittance payment request with timeline template source medium: Detects messages containing references to business days and account information with links containing 'remittance' in the URL path, commonly used in financial fraud schemes. This rule is looking at a specific template we're seeing in use with a expedited timeline.↳ also matches body, body.links (collection)
Link: Secure SharePoint file share from new or unusual sender source low: This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.↳ also matches body, body.current_thread, body.links (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`body.previous_threads (collection)`

Section: Sublime-Message-body

Description

Message Data Model attribute: body.previous_threads

Fields #

Name	Description
`links`	All links found in the given thread, unique by the target and display text/url.
`links[].href_url.domain.root_domain`	The root domain, including the TLD
`preamble`	The preamble text from the thread, typically the headers of a reply or forward. Things like From, Sent, Subject, saved as one big multiline string. This doesn't include banners.
`recipients.cc`	List of 'cc' Mailbox objects
`recipients.cc[].email.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`recipients.to`	List of 'to' Mailbox objects
`recipients.to[].email.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`sender.email.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`sender.email.domain.root_domain`	The root domain, including the TLD
`sender.email.email`	Full email address
`text`	The text content from the latest reply/forward in a message thread. This typically excludes content from forwarded messages and warning banners.

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Attachment: Encrypted PDF with credential theft body source medium: Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.↳ also matches body, body.current_thread
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply source medium: Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply.↳ also matches body, body.current_thread
Business Email Compromise: Request for mobile number via reply thread hijacking source medium: This rule detects BEC attacks that use reply threads to solicit mobile numbers, evading detection rules that exclude RE: subjects.↳ also matches body

Show 10 more (13 total)

Brand impersonation: Adobe Sign with suspicious indicators source high: Detects messages impersonating Adobe Sign that contain Adobe branding elements but are not sent from legitimate Adobe domains and lack proper Adobe Sign authentication headers.↳ also matches body, body.html, body.links (collection)
Fake thread with suspicious indicators source medium: Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.↳ also matches body, body.current_thread, body.html, body.links (collection), body.plain
Brand impersonation: Google Drive fake file share source medium: This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains. ↳ also matches body, body.current_thread, body.html, body.links (collection), body.plain
Job scam with specific salary pattern source low: Detects job scam content that includes specific weekly salary mentions (e.g., '$XXX weekly' patterns) in either the current email thread or previous thread conversations, while excluding legitimate income verification services.↳ also matches body, body.current_thread
Credential phishing: 'Secure message' and engaging language source medium: Body contains language resembling credential theft, and a "secure message" from an untrusted sender. ↳ also matches body, body.current_thread, body.links (collection)
Link: Free file hosting with undisclosed recipients source medium: Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.↳ also matches body, body.current_thread
Spam: Attendee list solicitation source low: This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.↳ also matches body, body.current_thread, body.html, body.links (collection), body.plain
Spam: Personalized subject and greetings via Salesforce Marketing Cloud source low: Detects messages sent through Salesforce Marketing Cloud infrastructure that contain a fake previous email thread, where both the current and previous threads start with the same greeting pattern extracted from the subject line.↳ also matches body, body.current_thread
Spam: Website errors solicitation source low: This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request.↳ also matches body, body.current_thread, body.html, body.links (collection)
Vendor impersonation: Thread hijacking with typosquat domain source high: Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.↳ also matches body, body.current_thread

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)