Sublime-Message-sender

2 attribute groups in the sender section of the Sublime Message Data Model. Each is addressed by its dotted attribute path, not a numbered event.

Attribute group	Description
`sender`	Message Data Model attribute: sender
`sender.email`	Message Data Model attribute: sender.email

`sender`

Section: Sublime-Message-sender

Description

Message Data Model attribute: sender

Fields #

Name	Description
`display_name`	Display name

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: DocuSign notification with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.↳ also matches sender.email
Service Abuse: ExactTarget with suspicious sender indicators source high: Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.↳ also matches sender.email
Service Abuse: HelloSign share with suspicious sender or document name source medium: The detection rule is designed to identify messages sent from HelloSign that notify recipients about a shared file and contain suspicious content either in the document or the sender's display name.↳ also matches sender.email

Show 17 more (208 total)

Service abuse: Substack credential theft with confusable characters and branded button redirects source medium: Detects messages from Substack that use confusable characters in the sender display name, contain purple buttons or typical button classes that redirect to non-Substack domains, and include credential theft content with urgency indicators.↳ also matches sender.email
Service abuse: Suspicious Zoom Docs link source low: Detects messages from Zoom Docs in which the document originates from a newly observed email address or contains suspicious indicators.↳ also matches sender.email
Service abuse: AppSheet infrastructure with suspicious indicators source medium: Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks.↳ also matches sender.email
Brand impersonation: Adobe (QR code) source high: Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches sender.email
Brand impersonation: DocuSign branded attachment lure with no DocuSign links source high: Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo or verbage within an image or PDF attachment, from an untrusted sender.
Attachment: EML with link to credential phishing page source high: Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects. ↳ also matches sender.email
Brand Impersonation: Google (QR Code) source high: Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.↳ also matches sender.email
Attachment: Legal themed message or PDF with suspicious indicators source medium: Detects messages with short body content or emoji containing PDF attachments from suspicious creators that include legal and compliance language with embedded malicious links, URL shorteners, or newly registered domains.
Brand impersonation: Microsoft (QR code) source high: Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. ↳ also matches sender.email
Attachment: PDF bid/proposal lure with credential theft indicators source medium: Detects single-page PDF attachments containing bid, proposal, RFP, RFQ, or quotation-related lures combined with high-confidence credential theft language or suspicious domains. The rule examines various locations including PDF URLs, OCR content, file names, subject lines, and message body for these indicators.↳ also matches sender.email
Attachment: QR code link with base64-encoded recipient address source high: Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.
HTML smuggling containing recipient email address source medium: HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.↳ also matches sender.email
Suspicious attachment with unscannable Cloudflare link source medium: A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.↳ also matches sender.email
Attachment with VBA macros from employee impersonation (unsolicited) source high: Attachment contains a VBA macro from a sender your organization has never sent an email to. Sender is using a display name that matches the display name of someone in your organization. VBA macros are a common phishing technique used to deploy malware.
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply source medium: Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply.↳ also matches sender.email
BEC/Fraud: Romance scam source medium: This rule detects messages attempting to initiate a Romance scam. The rule leverage tells such as undisclosed recipients, freemail emails in the body and common scam phrasing. Romance scams are deceptive schemes where scammers establish false romantic intentions towards individuals to gain their trust and eventually exploit them financially.↳ also matches sender.email
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns source medium: Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes.↳ also matches sender.email

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`sender.email`

Section: Sublime-Message-sender

Description

Message Data Model attribute: sender.email

Fields #

Name	Description
`domain`
`domain.domain`	The fully qualified domain name (FQDN). This may not always be routable, e.g. when an email address contains a domain that is just a TLD with no SLD, e.g. foo@WIN-bar
`domain.root_domain`	The root domain, including the TLD
`domain.sld`	Second-level domain, e.g. 'windows' for the domain 'windows.net'
`domain.subdomain`	Subdomain, e.g. 'drive' for the domain 'drive.google.com'
`domain.tld`	The domain's top-level domain. E.g. the TLD of google.com is 'com'
`domain.valid`	Whether the domain is valid
`email`	Full email address
`local_part`	Local-part, i.e. before the @

Detection Rules #

View all rules referencing this event →

Sublime MQL #

Service abuse: Adobe Sign notification from an unsolicited reply-to address source medium: Identifies messages appearing to come from Adobe Sign signature notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Adobe services while attempting to establish unauthorized communication channels.
Service abuse: Amazon invitation with suspected callback phishing source medium: Detects Amazon's no-reply address with a subject about invitation sending, containing phone numbers within HTML header elements. This pattern is commonly used to trick recipients into calling fraudulent customer service numbers.
Service abuse: Behance document sharing with suspicious language source medium: Detects messages containing document sharing language with a single Behance gallery link, potentially indicating abuse of the legitimate Adobe Behance platform for malicious purposes.

Show 17 more (724 total)

Service Abuse: Box file sharing with credential phishing intent source medium: Detects abuse of Box's legitimate infrastructure for credential phishing attacks.
Service abuse: Demio notifications with suspicious content patterns source medium: Detects messages from Demio notifications service containing suspicious patterns including phone numbers, monetary amounts, suspicious domain references, explicit content lures, or lengthy action-oriented subjects designed to manipulate recipients.
Service abuse: DocSend share from newly registered domain source high: This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.
Service abuse: DocSend share from an unsolicited reply-to address source high: DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Service abuse: DocuSign notification with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from Docusign from a newly observed reply-to address which contains suspicious content within the document or sender display name.↳ also matches sender
Service abuse: DocuSign share from an unsolicited reply-to address source medium: DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.
Service abuse: Domains By Proxy sender source medium: Message originates from a sender using Domains By Proxy's domain privacy service, commonly used to hide domain ownership information.
Service abuse: Dropbox share from new domain source medium: This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.
Service abuse: Dropbox share with suspicious sender or document name source medium: The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name.
Service abuse: Dropbox share from an unsolicited reply-to address source medium: This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.
Service Abuse: ExactTarget with suspicious sender indicators source high: Message originates from ExactTarget infrastructure but uses a suspicious sender domain, including overly long salesforce.com domains, awsapps.com domains, domains containing UTF-8 encoding characters, or a suspicious sender display name.↳ also matches sender
Service abuse: Google Firebase sender address with suspicious content source low: Detects messages from Firebase hosted domains that contain suspicious indicators such as emojis, spam keywords, unusual link patterns, or freemail registrant information.
Service abuse: Google account notification with links to free file host source high: Detects messages impersonating Google Accounts that contain links redirecting to known file hosting services
Service abuse: Google classroom solicitation source medium: Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders.
Service abuse: Google Drive share from new reply-to domain source medium: A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.
Service abuse: Google Drive share from an unsolicited reply-to address source medium: Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.
Google services using g.co shortlinks source medium: Identifies messages from authenticated Google domains containing g.co shortened URLs with a subdomain in either the message body links or thread text.

References #

Sublime Message Data Model https://docs.sublime.security/docs/mdm

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Sublime-Message-sender

`sender`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

`sender.email`

Description

Fields #

Detection Rules #

Sublime MQL #

References #

Keyboard shortcuts

Search operators