Sublime-Message-mailbox

2 attribute groups in the mailbox section of the Sublime Message Data Model. Each is addressed by its dotted attribute path, not a numbered event.

Attribute group	Description
`mailbox`	Message Data Model attribute: mailbox
`mailbox.email`	Message Data Model attribute: mailbox.email

`mailbox`

Section: Sublime-Message-mailbox

Description

Message Data Model attribute: mailbox

Fields #

Name	Description
`display_name`	Display name
`first_name`	First name (given name) of the mailbox owner
`last_name`	Last name (surname) of the mailbox owner

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Credential phishing: Suspicious e-sign agreement document notification source medium: Detects phishing attempts disguised as e-signature requests, characterized by common document sharing phrases, unusual HTML padding, and suspicious link text.
Spam/fraud: Predatory journal/research paper request source medium: Detects messages related to academic research and publishing that contain suspicious patterns including character manipulation, flattering language, time pressure tactics, and domain registration anomalies. Focuses on unsolicited invitations for manuscript submissions, peer reviews, or editorial roles.
Reconnaissance: Short generic greeting message source medium: Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks.

Show 3 more (6 total)

VIP / Executive impersonation (strict match, untrusted) source high: Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
VIP local_part impersonation from unsolicited sender source high: This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.
VIP / Executive impersonation in subject (untrusted) source medium: Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`mailbox.email`

Section: Sublime-Message-mailbox

Description

Message Data Model attribute: mailbox.email

Fields #

Name	Description
`domain.sld`	Second-level domain, e.g. 'windows' for the domain 'windows.net'
`email`	Full email address
`local_part`	Local-part, i.e. before the @

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Inbound message from popular service via newly observed distribution list source medium: Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing.
Display name impersonation using recipient SLD source medium: The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.
Display name and subject impersonation using recipient SLD (new sender) source medium: The recipient domain's SLD is used in the sender's display name and in the subject to impersonate the organization.

Show 1 more (4 total)

Link: Free file hosting with undisclosed recipients source medium: Detects messages containing links to free file hosting or subdomain services that are sent to undisclosed recipients or only CC/BCC recipients. The rule identifies suspicious distribution patterns where legitimate recipients are hidden, potentially indicating mass distribution of malicious content through file sharing platforms.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-mailbox

`mailbox`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

`mailbox.email`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

Keyboard shortcuts

Search operators