Sublime-Message-headers

9 attribute groups in the headers section of the Sublime Message Data Model. Each is addressed by its dotted attribute path, not a numbered event.

Attribute group	Description
`headers (collection)`	Message Data Model attribute: headers
`headers.auth_summary`	Message Data Model attribute: headers.auth_summary
`headers.domains (collection)`	Message Data Model attribute: headers.domains
`headers.hops (collection)`	Message Data Model attribute: headers.hops
`headers.reply_to (collection)`	Message Data Model attribute: headers.reply_to
`headers.return_path`	Message Data Model attribute: headers.return_path
`headers.x_authenticated_domain`	Message Data Model attribute: headers.x_authenticated_domain
`headers.x_authenticated_sender`	Message Data Model attribute: headers.x_authenticated_sender
`headers.x_originating_ip`	Message Data Model attribute: headers.x_originating_ip

`headers (collection)`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers

Fields #

Name	Description
`domains`	All domains found in the Received headers
`hops`	List of hops the message took from Sender to Recipient
`in_reply_to`	In-Reply-To header value which identifies its parent message if exists
`mailer`	X-Mailer or User-Agent extracted from headers
`message_id`	Message-ID extracted from the header
`references`	The Message-IDs of the other messages within this chain
`references[]`	The Message-IDs of the other messages within this chain
`reply_to`	Where replies should be delivered to

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: DocSend share from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service abuse: DocuSign notification with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service abuse: DocuSign share from an unsolicited reply-to address source medium: DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.↳ also matches headers.auth_summary, headers.reply_to (collection)

Show 17 more (259 total)

Service abuse: Dropbox share from new domain source medium: This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service abuse: Dropbox share with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service Abuse: ExactTarget with suspicious sender indicators source high: Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.↳ also matches headers.domains (collection)
Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches headers.reply_to (collection)
Service abuse: Google Drive share from new reply-to domain source medium: A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.↳ also matches headers.reply_to (collection)
Service abuse: Google Drive share from an unsolicited reply-to address source medium: Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.↳ also matches headers.reply_to (collection)
Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches headers.auth_summary, headers.hops (collection)
Service abuse: HelloSign from an unsolicited sender address source low: Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.↳ also matches headers.auth_summary, headers.hops (collection)
Brand impersonation: QuickBooks notification from Intuit themed company name source medium: This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service abuse: QuickBooks notification from new domain source medium: This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service abuse: SurveyMonkey survey from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.↳ also matches headers.auth_summary, headers.reply_to (collection)
Service abuse: AppSheet infrastructure with suspicious indicators source medium: Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.↳ also matches headers.reply_to (collection)
Newly registered sender or reply-to domain with newly registered linked domain source medium: This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.↳ also matches headers.reply_to (collection)
Suspicious mailer received from Gmail servers source low: Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.↳ also matches headers.hops (collection), headers.return_path
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches headers.auth_summary, headers.hops (collection)
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches headers.auth_summary, headers.hops (collection)
Attachment: Callback phishing solicitation via text-based file source medium: Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.↳ also matches headers.hops (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.auth_summary`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.auth_summary

Fields #

Name	Description
`dmarc.details.from.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`dmarc.details.from.root_domain`	The root domain, including the TLD
`dmarc.pass`	Whether the DMARC check passed
`spf.details.designator`	Email or domain of the designating body
`spf.pass`	Whether the SPF check passed

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Adobe Sign notification from an unsolicited reply-to address source medium: Identifies messages appearing to come from Adobe Sign signature notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Adobe services while attempting to establish unauthorized communication channels.
Service abuse: Behance document sharing with suspicious language source medium: Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.
Service abuse: DocSend share from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.↳ also matches headers (collection), headers.reply_to (collection)

Show 17 more (435 total)

Service abuse: DocuSign notification with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: DocuSign share from an unsolicited reply-to address source medium: DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: Dropbox share from new domain source medium: This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: Dropbox share with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: Dropbox share from an unsolicited reply-to address source medium: This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.
Google services using g.co shortlinks source medium: Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.
Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches headers (collection), headers.hops (collection)
Service abuse: HelloSign from an unsolicited sender address source low: Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.↳ also matches headers (collection), headers.hops (collection)
Service abuse: Meetup.com redirect with brand impersonation source medium: Detects messages abusing Meetup.com's click tracking service with lengthy redirect URLs while impersonating legitimate Meetup communications. The rule identifies suspicious links to clicks.meetup.com with URLs exceeding 300 characters, excludes legitimate Meetup emails by checking for their branding elements, and filters out high-trust authenticated senders.
Brand impersonation: QuickBooks notification from Intuit themed company name source medium: This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: QuickBooks notification from new domain source medium: This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: SurveyMonkey survey from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.↳ also matches headers (collection), headers.reply_to (collection)
Service abuse: Task management message sent via SendGrid source medium: Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.↳ also matches headers.return_path
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches headers (collection), headers.hops (collection)
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches headers (collection), headers.hops (collection)
Attachment: Any HTML file (untrusted sender) source medium: Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.
Attachment: Any HTML file (unsolicited) source low: Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.domains (collection)`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.domains

Fields #

Name	Description
`domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`root_domain`	The root domain, including the TLD
`tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service Abuse: ExactTarget with suspicious sender indicators source high: Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.↳ also matches headers (collection)
Attachment: Fake secure message and suspicious indicators source medium: Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection)
EML attachment with credential theft language (unknown sender) source high: Identifies EML attachments that use credential theft language from unknown senders.↳ also matches headers (collection), headers.auth_summary

Show 17 more (50 total)

Brand impersonation: AliExpress source medium: Detects messages impersonating AliExpress by matching known footer text and social media links, while confirming the sender is not legitimately from AliExpress or its infrastructure.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: Aquent source medium: Detects messages impersonating Aquent, a staffing and talent solutions company, by analyzing sender display names and body content for Aquent branding and office addresses from unauthorized domains.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: Morgan Stanley source medium: Detects messages impersonating Morgan Stanley that contain indicators of credential theft or callback scams, including references to secure email systems, client service centers, financial advisors, and registration processes. The rule identifies spoofed communications by checking for Morgan Stanley branding elements while excluding legitimate domains.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection)
Callback phishing in body or attachment (untrusted sender) source medium: Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders. ↳ also matches headers (collection), headers.auth_summary
ClickFunnels link infrastructure abuse source high: Email contains a ClickFunnels (mass mailing platform) tracking link but does not originate from ClickFunnels sending infrastructure. The myclickfunnels.com domain has been abused by threat actors to attempt credential phishing.↳ also matches headers (collection), headers.hops (collection)
Compensation review with QR code in attached EML source high: Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.↳ also matches headers (collection), headers.auth_summary
Impersonation: Internal corporate services source high: Detects phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits, using specific language in the subject or sender's name and containing suspicious links from low-reputation or mass-mailing domains.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection)
Credential phishing: Email delivery failure impersonation source high: Detects phishing emails impersonating email system notifications claiming delivery failures, rejected messages, or email system issues requiring user action to 'fix' or 'recover' email functionality. These attacks typically claim incoming emails couldn't be delivered and direct users to malicious portals to harvest credentials. ↳ also matches headers (collection), headers.auth_summary
Fake email quarantine notification source high: Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.↳ also matches headers (collection), headers.auth_summary
Attachment: EML with Sharepoint link likely unrelated to sender source medium: Detects EML attachments containing SharePoint links where the subdomain differs significantly from the sender's domain, potentially indicating SharePoint impersonation or domain spoofing tactics.↳ also matches headers (collection), headers.auth_summary
Fake thread with suspicious indicators source medium: Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection), headers.return_path
Vendor compromise: GovDelivery message with suspicious link source high: Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: Adobe with suspicious language and link source high: Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: Box file sharing service source medium: Detects messages impersonating Box file sharing service by identifying Box logos, collaboration-related language, or Box company address information from senders not associated with the legitimate box.com domain.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: Wix source medium: Detects messages impersonating Wix by using similar display names or domain names, while not originating from legitimate WIX domains or failing DMARC authentication from trusted senders.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: DocuSign source high: Attack impersonating a DocuSign request for signature. ↳ also matches headers (collection), headers.auth_summary, headers.hops (collection)
Brand impersonation: Mailgun source medium: Impersonation of the Mailgun Email delivery platform.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.hops (collection)`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.hops

Fields #

Name	Description
`authentication_results.compauth.verdict`	Verdict of the compauth
`authentication_results.dkim`	Verdict of the Domain Keys Identified Mail check
`authentication_results.dkim_details`	List of details of the Domain Keys Identified Mail checks
`authentication_results.dkim_details[].domain`	Domain identified in the DKIM signature if any. This is the domain that's queried for the public key.
`authentication_results.dmarc`	Verdict of the Domain-based Message Authentication, Reporting & Conformance check
`authentication_results.dmarc_details.from.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`authentication_results.spf`	Verdict of the Sender Policy Framework
`authentication_results.spf_details.designator`	Email or domain of the designating body
`fields`	List of all raw header fields contained within this hop
`fields[].name`	The name of the field
`fields[].value`	The value contained within the field
`index`	Index indicates the order in which a hop occurred from sender to recipient
`received.server.raw`	The raw string of 'by' section
`received.source.raw`	The raw string of 'from' section
`received_spf.designator`	Email or domain of the designating body
`signature.headers`	Header fields signed by the algorithm

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches headers (collection), headers.auth_summary
Service abuse: HelloSign from an unsolicited sender address source low: Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.↳ also matches headers (collection), headers.auth_summary
Suspicious mailer received from Gmail servers source low: Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.↳ also matches headers (collection), headers.return_path

Show 17 more (90 total)

Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches headers (collection), headers.auth_summary
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches headers (collection), headers.auth_summary
Attachment: Callback phishing solicitation via text-based file source medium: Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.↳ also matches headers (collection)
Attachment: Fake secure message and suspicious indicators source medium: Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.↳ also matches headers (collection), headers.auth_summary, headers.domains (collection)
Brand impersonation: DocuSign branded attachment lure with no DocuSign links source high: Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.↳ also matches headers (collection)
Attachment: EML file contains HTML attachment with login portal indicators source high: Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique. ↳ also matches headers (collection)
Encrypted Microsoft Office files from untrusted sender source medium: Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.↳ also matches headers (collection)
Extortion / sextortion in attachment from untrusted sender source low: Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.↳ also matches headers (collection)
Brand Impersonation: Google (QR Code) source high: Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches headers (collection)
Attachment: Calendar invite with suspicious link leading to an open redirect source high: Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.↳ also matches headers (collection)
Brand impersonation: Microsoft (QR code) source high: Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. ↳ also matches headers (collection)
Attachment: Microsoft impersonation via PDF with link and suspicious language source high: Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.↳ also matches headers (collection), headers.auth_summary
Attachment: Microsoft 365 credential phishing source high: Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords. ↳ also matches headers (collection), headers.auth_summary
Attachment: DocuSign impersonation via PDF linking to new domain source medium: This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)↳ also matches headers (collection), headers.auth_summary
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender source medium: This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.↳ also matches headers (collection)
HTML smuggling containing recipient email address source medium: HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.↳ also matches headers (collection), headers.auth_summary
Extortion / sextortion (untrusted sender) source low: Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender. ↳ also matches headers (collection), headers.auth_summary

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.reply_to (collection)`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.reply_to

Fields #

Name	Description
`display_name`	Display name
`email.domain`
`email.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`email.domain.root_domain`	The root domain, including the TLD
`email.domain.tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'
`email.email`	Full email address
`email.local_part`	Local-part, i.e. before the @

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: DocSend share from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.↳ also matches headers (collection), headers.auth_summary
Service abuse: DocuSign notification with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.↳ also matches headers (collection), headers.auth_summary
Service abuse: DocuSign share from an unsolicited reply-to address source medium: DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.↳ also matches headers (collection), headers.auth_summary

Show 17 more (73 total)

Service abuse: Dropbox share from new domain source medium: This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.↳ also matches headers (collection), headers.auth_summary
Service abuse: Dropbox share with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.↳ also matches headers (collection), headers.auth_summary
Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.↳ also matches headers (collection)
Service abuse: Google Drive share from new reply-to domain source medium: A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.↳ also matches headers (collection)
Service abuse: Google Drive share from an unsolicited reply-to address source medium: Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.↳ also matches headers (collection)
Brand impersonation: QuickBooks notification from Intuit themed company name source medium: This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks.↳ also matches headers (collection), headers.auth_summary
Service abuse: QuickBooks notification from new domain source medium: This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.↳ also matches headers (collection), headers.auth_summary
Service abuse: SurveyMonkey survey from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.↳ also matches headers (collection), headers.auth_summary
Service abuse: AppSheet infrastructure with suspicious indicators source medium: Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.↳ also matches headers (collection)
Newly registered sender or reply-to domain with newly registered linked domain source medium: This rule detects inbound emails that contain links and a reply-to address, where either the sender domain or the reply-to domain is newly registered (≤30 days old), and at least one linked domain is also very new (≤14 days old). It flags potential phishing or business email compromise attempts that use recently created infrastructure and reply-to mismatch tactics to bypass trust and impersonate legitimate contacts.↳ also matches headers (collection)
Attachment: EML with link to credential phishing page source high: Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects. ↳ also matches headers (collection)
Attachment: Office document with VSTO add-in source high: Recursively scans files and archives to detect Office documents with VSTO Add-ins. ↳ also matches headers (collection)
Attachment: PDF with credential theft language and invalid reply-to domain source medium: Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.↳ also matches headers (collection), headers.auth_summary
BEC/Fraud: Generic scam attempt to undisclosed recipients source low: Detects potential generic scams by analyzing text within the email body and other suspicious signals. ↳ also matches headers (collection), headers.auth_summary
BEC/Fraud: Penpal scam source medium: This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities.↳ also matches headers (collection), headers.auth_summary
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns source medium: Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.↳ also matches headers (collection), headers.x_originating_ip
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD source medium: Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents. ↳ also matches headers (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.return_path`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.return_path

Fields #

Name	Description
`domain`
`domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`domain.root_domain`	The root domain, including the TLD
`domain.tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'
`email`	Full email address
`local_part`	Local-part, i.e. before the @

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Task management message sent via SendGrid source medium: Detects messages impersonating task or productivity applications by using 'todo list' in the subject line or body while utilizing SendGrid infrastructure. The sender claims to be task-related through display name or body content but originates from non-legitimate domains without proper DMARC authentication.↳ also matches headers.auth_summary
Suspicious mailer received from Gmail servers source low: Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.↳ also matches headers (collection), headers.hops (collection)
Business Email Compromise (BEC) attempt from unsolicited sender source medium: Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders. ↳ also matches headers (collection), headers.auth_summary, headers.reply_to (collection)

Show 17 more (36 total)

Brand impersonation: Greenvelope source medium: Detects messages impersonating Greenvelope invitations not originating from legitimate Greenvelope domain.↳ also matches headers (collection), headers.auth_summary
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old source medium: This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. ↳ also matches headers (collection), headers.reply_to (collection)
Fake request for tax preparation source high: Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.↳ also matches headers (collection), headers.reply_to (collection)
Fake thread with suspicious indicators source medium: Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.↳ also matches headers (collection), headers.auth_summary, headers.domains (collection), headers.hops (collection)
Message traversed multiple onmicrosoft.com tenants source medium: This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.↳ also matches headers (collection), headers.hops (collection)
Inbound message from popular service via newly observed distribution list source medium: Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection), headers.reply_to (collection)
BEC with unusual reply-to or return-path mismatch source high: Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection), headers.reply_to (collection)
Russia return-path TLD (untrusted sender) source low: The return-path header is a .ru TLD from an untrusted sender.
Sendgrid onmicrosoft.com domain phishing source medium: The message originates from an onmicrosoft.com email address being sent via Sendgrid.
Sendgrid voicemail phish source high: The message may contain a fake voicemail notification being sent via Sendgrid.
Fake shipping notification with link to free file hosting source low: This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
Brand impersonation: Google Drive fake file share source medium: This rule detects messages impersonating a Google Drive file sharing email where no links point to known Google domains. ↳ also matches headers (collection), headers.auth_summary
VIP Impersonation via Google Group relay with suspicious indicators source high: Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.↳ also matches headers (collection), headers.auth_summary, headers.hops (collection), headers.reply_to (collection)
Brand impersonation: Ledger source low: Attack impersonating hardware cryptocurrency wallet ledger.com's brand. ↳ also matches headers.auth_summary
Brand impersonation: LinkedIn source medium: Impersonation of LinkedIn. ↳ also matches headers (collection), headers.reply_to (collection)
Brand impersonation: Microsoft with embedded logo and credential theft language source high: This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.↳ also matches headers (collection), headers.auth_summary, headers.domains (collection), headers.hops (collection)
Brand impersonation: Microsoft fake sign-in alert source medium: Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response. ↳ also matches headers (collection), headers.hops (collection), headers.reply_to (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.x_authenticated_domain`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.x_authenticated_domain

Fields #

Name	Description
`domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar

Detection Rules #

View all rules referencing this event →

Sublime MQL #

VIP impersonation with invoicing request source high: This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language.↳ also matches headers (collection), headers.auth_summary, headers.reply_to (collection), headers.x_authenticated_sender

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.x_authenticated_sender`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.x_authenticated_sender

Fields #

Name	Description
`email`	Full email address

Detection Rules #

View all rules referencing this event →

Sublime MQL #

VIP impersonation with invoicing request source high: This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language.↳ also matches headers (collection), headers.auth_summary, headers.reply_to (collection), headers.x_authenticated_domain

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`headers.x_originating_ip`

Section: Sublime-Message-headers

Description

Message Data Model attribute: headers.x_originating_ip

Fields #

Name	Description
`ip`	The IP in canonical form

Detection Rules #

View all rules referencing this event →

Sublime MQL #

BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns source medium: Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.↳ also matches headers (collection), headers.reply_to (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)