Sublime-Message-recipients

4 attribute groups in the recipients section of the Sublime Message Data Model. Each is addressed by its dotted attribute path, not a numbered event.

Attribute group	Description
`recipients`	Message Data Model attribute: recipients
`recipients.bcc (collection)`	Message Data Model attribute: recipients.bcc
`recipients.cc (collection)`	Message Data Model attribute: recipients.cc
`recipients.to (collection)`	Message Data Model attribute: recipients.to

`recipients`

Section: Sublime-Message-recipients

Description

Message Data Model attribute: recipients

Fields #

Name	Description
`bcc`	List of 'bcc' Mailbox objects
`cc`	List of 'cc' Mailbox objects
`to`	List of 'to' Mailbox objects

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure source high: Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.↳ also matches recipients.to (collection)
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches recipients.cc (collection), recipients.to (collection)
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches recipients.to (collection)

Show 17 more (163 total)

Attachment: Callback phishing solicitation via image file source high: A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches recipients.to (collection)
Attachment: Callback phishing solicitation via pdf file source high: A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches recipients.to (collection)
Attachment: Compensation-themed DOCX with QR code credential theft source high: Detects inbound messages containing DOCX attachments with compensation or benefit-related themes that include QR codes and suspicious indicators. The rule identifies files with reward/benefit language in filenames, compensation-related content in document metadata, and QR codes that may redirect to credential theft pages. It uses natural language processing to detect credential theft intent and suspicious topics like benefit enrollment or financial communications. ↳ also matches recipients.to (collection)
Attachment: EML with link to credential phishing page source high: Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects. ↳ also matches recipients.to (collection)
EML attachment with credential theft language (unknown sender) source high: Identifies EML attachments that use credential theft language from unknown senders.↳ also matches recipients.to (collection)
Attachment: EML with QR code redirecting to Cloudflare challenges source low: Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.↳ also matches recipients.to (collection)
Attachment: QR code with suspicious URL patterns in EML file source high: Detects EML attachments containing QR codes that link to URLs with suspicious patterns, including specific alphanumeric combinations in subdomains and paths, or special characters followed by encoded terminators. These patterns are commonly used to evade detection in credential theft attacks.↳ also matches recipients.to (collection)
Attachment: EML with suspicious indicators source medium: Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.↳ also matches recipients.to (collection)
Attachment: Encrypted PDF with credential theft body source medium: Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.↳ also matches recipients.to (collection)
Free subdomain link with credential theft indicators source high: Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page. ↳ also matches recipients.to (collection)
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns source medium: Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.↳ also matches recipients.to (collection)
Attachment: HTML with obfuscation and recipient's email in JavaScript strings source high: Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript ↳ also matches recipients.to (collection)
Attachment: HTML file with reference to recipient and suspicious patterns source high: Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns. ↳ also matches recipients.to (collection)
Brand impersonation: Microsoft (QR code) source high: Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. ↳ also matches recipients.to (collection)
Attachment: Compensation review lure with QR code source high: Detects PDF attachments containing compensation or payroll-themed content with QR codes from unsolicited or suspicious senders.↳ also matches recipients.to (collection)
Attachment: PDF with credential theft language and invalid reply-to domain source medium: Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.↳ also matches recipients.to (collection)
Attachment: PDF with QR code containing recipient-specific credential theft content source high: Detects PDF attachments containing QR codes that include the recipient's email address (either plaintext or base64 encoded) combined with credential theft language detected through natural language processing. This technique personalizes the attack by incorporating the target's email into the QR code URL while using PDF content to establish credibility.↳ also matches recipients.to (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`recipients.bcc (collection)`

Section: Sublime-Message-recipients

Description

Message Data Model attribute: recipients.bcc

Fields #

Name	Description
`email.domain.root_domain`	The root domain, including the TLD

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Reconnaissance: Short generic greeting message source medium: Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks. ↳ also matches recipients, recipients.cc (collection), recipients.to (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`recipients.cc (collection)`

Section: Sublime-Message-recipients

Description

Message Data Model attribute: recipients.cc

Fields #

Name	Description
`email.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`email.domain.root_domain`	The root domain, including the TLD
`email.domain.valid`	Whether the domain is valid
`email.email`	Full email address
`email.local_part`	Local-part, i.e. before the @

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches recipients, recipients.to (collection)
Attachment: QR code with userinfo portion source high: Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.↳ also matches recipients, recipients.to (collection)
Job scam (unsolicited sender) source low: Detects job scam attempts by analyzing the message body text from an unsolicited sender. ↳ also matches recipients, recipients.to (collection)

Show 10 more (13 total)

Brand impersonation: Hulu source medium: Impersonation of Hulu.↳ also matches recipients, recipients.to (collection)
Brand impersonation: Netflix source low: Impersonation of Netflix. ↳ also matches recipients, recipients.to (collection)
Link: File sharing impersonation with suspicious language and sending patterns source medium: Detects messages containing file sharing and cloud services topics combined with BEC or credential theft language, featuring links with document-related display text that lead to low-reputation domains outside the sender's domain and organization.↳ also matches recipients, recipients.to (collection)
Link abuse: Self-service creation platform link with suspicious recipient behavior source high: Detects messages from new freemail senders containing links to self-service creation platforms with all-caps display text, combined with suspicious recipient patterns such as invalid recipients, self-sending, or unusual CC/BCC configurations.↳ also matches recipients, recipients.to (collection)
Link: Personal SharePoint with invalid recipients and credential theft language source medium: Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body.↳ also matches recipients, recipients.to (collection)
Reconnaissance: Short generic greeting message source medium: Detects potential reconnaissance messages with very short, generic content like 'Hi' or 'Hello' from external senders. These messages are often used to validate email addresses and test deliverability before launching larger attacks. ↳ also matches recipients, recipients.bcc (collection), recipients.to (collection)
Service abuse: GitHub notification with excessive mentions and suspicious links source high: Detects messages impersonating GitHub notifications that contain excessive @ mentions (over 20) and include a single suspicious external link. The suspicious link may be from free file hosts, free subdomain hosts, URL shorteners, or newly registered domains. The rule filters out legitimate GitHub domains and internal employee communications while identifying potential abuse of GitHub's notification system.↳ also matches recipients
Spam: Single recipient duplicated in cc source medium: Detects spam emails where the 'To' and 'CC' fields match, using indicators such as short body length with spam keywords, unsolicited content, dmarc failures, fake threads, and suspicious links.↳ also matches recipients, recipients.to (collection)
Suspicious recipient pattern and language with low reputation link to login source medium: Message contains a suspicious recipient pattern, financial or urgent language, and a suspicious link, with a login page and confusable characters or multiple redirects.↳ also matches recipients, recipients.to (collection)
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern source medium: RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage. ↳ also matches recipients, recipients.to (collection)

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`recipients.to (collection)`

Section: Sublime-Message-recipients

Description

Message Data Model attribute: recipients.to

Fields #

Name	Description
`display_name`	Display name
`email.domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`email.domain.root_domain`	The root domain, including the TLD
`email.domain.sld`	Second-level domain, e.g. 'windows' for the domain 'windows.net'
`email.domain.valid`	Whether the domain is valid
`email.email`	Full email address
`email.local_part`	Local-part, i.e. before the @

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure source high: Detects messages containing links to Cloudflare Workers domains that follow naming patterns designed to impersonate legitimate services such as Adobe, DocuSign, OneDrive, SharePoint, and voicemail systems. These domains use suspicious alphanumeric identifiers and may be used to deceive recipients into believing they are accessing trusted services.↳ also matches recipients
Attachment: Adobe image lure in body or attachment with suspicious link source medium: Detects Adobe phishing messages with an Adobe logo in the body or attachment, with suspicious link language.↳ also matches recipients, recipients.cc (collection)
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches recipients

Show 17 more (162 total)

Attachment: Callback phishing solicitation via image file source high: A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches recipients
Attachment: Callback phishing solicitation via pdf file source high: A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment. ↳ also matches recipients
Attachment: Compensation-themed DOCX with QR code credential theft source high: Detects inbound messages containing DOCX attachments with compensation or benefit-related themes that include QR codes and suspicious indicators. The rule identifies files with reward/benefit language in filenames, compensation-related content in document metadata, and QR codes that may redirect to credential theft pages. It uses natural language processing to detect credential theft intent and suspicious topics like benefit enrollment or financial communications. ↳ also matches recipients
Attachment: DOCX with hyperlink targeting recipient address source medium: Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.
Attachment: EML with link to credential phishing page source high: Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects. ↳ also matches recipients
EML attachment with credential theft language (unknown sender) source high: Identifies EML attachments that use credential theft language from unknown senders.↳ also matches recipients
Attachment: EML with QR code redirecting to Cloudflare challenges source low: Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.↳ also matches recipients
Attachment: QR code with suspicious URL patterns in EML file source high: Detects EML attachments containing QR codes that link to URLs with suspicious patterns, including specific alphanumeric combinations in subdomains and paths, or special characters followed by encoded terminators. These patterns are commonly used to evade detection in credential theft attacks.↳ also matches recipients
Attachment: EML with suspicious indicators source medium: Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.↳ also matches recipients
Attachment: Encrypted PDF with credential theft body source medium: Attached PDF is encrypted, and email body contains credential theft language. Seen in-the-wild impersonating e-fax services.↳ also matches recipients
Free subdomain link with credential theft indicators source high: Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page. ↳ also matches recipients
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns source medium: Attached HTML file contains excessive string concatenation, a recipient's email address, and an indicator of HTML smuggling. This pattern has been seen in the wild in an attempt to obfuscate the file's contents.↳ also matches recipients
Attachment: HTML with obfuscation and recipient's email in JavaScript strings source high: Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript ↳ also matches recipients
Attachment: HTML file with reference to recipient and suspicious patterns source high: Attached HTML file (or HTML file within an attached email) contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns. ↳ also matches recipients
Attachment: ICS calendar file with base64 encoded recipient address in URL parameters source high: Detects inbound messages containing ICS calendar attachments where event links have multiple URL parameters, and the base64 decoded combination of those parameters matches the recipient's email address. This technique may be used to personalize malicious links or track specific targets.
Attachment: ICS calendar file with QR code containing recipient email address source high: Detects calendar attachments (.ics files) containing QR codes that include the recipient's email address in the URL, URL fragment, or base64-encoded data. This technique is commonly used to personalize credential theft attacks by embedding the target's email address within calendar invitations.
Attachment: ICS calendar file with recipient address in UID field source high: Detects inbound messages containing ICS calendar attachments where the UID property matches the recipient's email address, indicating potential calendar-based social engineering.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-recipients

`recipients`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

`recipients.bcc (collection)`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

`recipients.cc (collection)`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

`recipients.to (collection)`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

Keyboard shortcuts

Search operators