Looks for use of the YouTube open redirect coming from someone other than YouTube.

Read More

Email contains an Adobe logo, at least one link, and suspicious link language from a new sender.

Read More

Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Read More

A message containing a Microsoft logo generated using HTML tables and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Read More

Impersonation of Meta or Meta's subsidary Facebook.

Read More

Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language.

Read More

Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

Read More

Message (or attached message) contains an image impersonating an Outlook attachment button.

Read More

Recursively scans files and archives to detect indicators of login portals implemented in HTML files. This is a known credential theft technique used by threat actors.

Read More

This rule detects messages with HTML attachments containing QR codes

Read More

Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.

Read More

Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.

Read More

Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.

Read More

Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.

Read More

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

Read More

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

Read More

Detects potential generic scams by analyzing text within the email body and other suspicious signals.

Read More

Detects messages using Adobe image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Read More

Impersonation of the credit card provider American Express.

Read More

Impersonation of the petroleum and natural gas company Saudi Aramco.

Read More

Impersonation of Bank of America, usually for credential theft.

Read More

Impersonation of Blockchain[.]com, usually for credential theft.

Read More

Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.

Read More

This rule checks for messages with or without attachments leveraging the Chase logo, and LinkAnalysis or Natural Language Understanding(NLU) has flagged credential phishing with medium to high confidence. The rule also excludes messages where all links are Chase affiliates, in addition to negating high trust sender root domains.

Read More

Impersonation of the cryptocurrency exchange Coinbase to harvest Coinbase credentials or related information.

Read More

Impersonation of the password management software Dashlane.

Read More

Impersonation of the shipping provider DHL.

Read More

Attack impersonating a DocuSign request for signature.

Read More

Impersonation of the online food ordering and food delivery platform, DoorDash

Read More

Impersonation of Dotloop, a real estate transaction management platform.

Read More

Impersonation of Dropbox, a file sharing service.

Read More

Impersonation of the shipping provider FedEx.

Read More

Impersonation of Github.

Read More

Impersonation of Gusto, a cloud-based payroll management company.

Read More

Impersonation of the Microsoft brand.

Read More

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Read More

Detects low reputation links with Microsoft specific indicators in the body.

Read More

Impersonation of Okta, an identity and access management company.

Read More

Impersonation of PayPal.

Read More

Impersonation of PNC Financial Services

Read More

Impersonation of the Quickbooks service from Intuit.

Read More

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Read More

This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.

Read More

Impersonation of Spotify.

Read More

Possible attempt to impersonate Sublime Security executives.

Read More

Impersonation of United Parcel Service (UPS).

Read More

Impersonation of the United States Postal Service.

Read More

Impersonation of Vanta.

Read More

Impersonation of Venmo

Read More

Impersonation of Wells Fargo Bank.

Read More

Impersonation of Dropbox, a file sharing service; specifically spoofs the Dropbox sender domain.

Read More

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.

Read More

Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.

Read More

Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.

Read More

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.

Read More

This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators.

Read More

A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list.

Read More

Email contains a Constant Contact (mass mailing platform) tracking link but does not originate from Constant Contact sending infrastructure. The rs6.net domain has been abused by threat actors to attempt credential phishing.

Read More

Detects potential COVID-19 themed BEC/Fraud scams by analyzing text within the email body for mentions of COVID-19 assistance from mismatched senders and other suspicious language.

Read More

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.

Read More

Message contains a link to a credential phishing page from an unknown sender.

Read More

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrastructure and attempt to pivot to external freemail addresses.

Read More

Body contains language resembling credential theft, and a "secure message" from an untrusted sender.

Read More

Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender.

Read More

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

Read More

This rule targets credential phishing attempts disguised as storage space alerts, activating for inbound emails with specific storage-related keywords and evaluating sender trustworthiness and history.

Read More

This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.

Read More

The recipient domain's SLD is used in the sender's display name and in the subject to impersonate the organization.

Read More

The recipient domain's SLD is used in the sender's display name in order to impersonate the organization.

Read More

Sender is using a display name that matches the display name of someone in your organization.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Read More

Detects fake message threads with suspicious links and financial request language

Read More

Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.

Read More

A file sharing link in the body with a common BEC subject. This rule could be expanded to include additional BEC subjects.

Read More

Message contains a link that uses a free subdomain provider, and has a login or captcha on the page.

Read More

This rule detects messages that leverage a link to notifications.google.com not from google and from an untrusted sender. Commonly abused in salesforce phishing campaigns.

Read More

Detects generic BEC/Fraud scams by analyzing text within the email body from mismatched senders with other suspicious indicators.

Read More

Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.

Read More

The recipient's domain is used in the sender's display name in order to impersonate the organization. The impersonation has been observed to use both the recipient's full email address, as well as just the domain.

Read More

Detects messages impersonating HR that contain at least 1 link or 1 attachment with engaging language in the body from an untrusted sender.

Read More

A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited.

Read More

A link in the body of the message downloads an encrypted zip that contains a DMG file.

This technique has been observed ITW to deliver Meta Stealer, Atomic Stealer, and other MacOS malware.

Notably, in some instances, the attacker poses as a recruiter and initiates back and forth conversation with the recipient.

Read More

This rule detects messages with "Undisclosed Recipients" that contain a link to a credential phishing page.

Read More

Shortened link is blocked or gated by bit.ly. Indicator of malicious email.

Read More

Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.

Read More

This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.

Read More

This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, the rule is conditioned to check the image for any suspicious terms.

Read More

This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL.

Read More

Sender's domain is a lookalike of one of your organization's domains and is untrusted.

Read More

This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.

Read More

This detects a pattern commonly observed in mass phishing campaigns.

The local_part or the full email address of the recipient is used in the subject, body, and link query parameter to "personalize" the attack.

Read More

Message contains use of the Ticketmaster open redirect, but the sender is not Ticketmaster. This has been exploited in the wild.

Read More

This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities.

Read More

This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Read More

RFQ/RFP scams involve fraudulent emails posing as legitimate requests for quotations or purchases, often sent by scammers impersonating reputable organizations. These scams aim to deceive recipients into providing sensitive information or conducting unauthorized transactions, often leading to financial loss, or data leakage.

Read More

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Read More

This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender.

Read More

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Read More

Detects messages with undisclosed recipients (likely all bcc), where the Compauth verdict is not 'pass', and ML has identified suspicious language or credential phishing links.

Read More

Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.

Read More

Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Read More

Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.

Read More

This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language.

Read More

Sender is using a display name that matches the display name of someone in your $org_vips list.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Read More

This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.

Read More

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

Read More

This rule detects unsolicited messages with a small plain text body, that is attempting to solicit a mobile number.

Read More

This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.

Read More

This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll or alter payment details.

Read More

This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender.

Read More

Impersonation of LinkedIn.

Read More

Impersonating Wise Financial, an online banking platform.

Read More

Callback Phishing via text file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender.

Read More

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

Read More

Detects messages using Google based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

Read More

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Read More

JavaScript attachment or compressed JavaScript file containing a base64 encoded executable.

Read More

This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link. This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.

Read More

Identifies EML attachments that use credential theft language from unknown senders.

Read More

Unknown sender requesting assistance with tax preparation. This is associated with known threat actor activity, TA576.

Read More

Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique.

Read More

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.

Read More

This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.

Read More

Detects DocuSign phishing messages with no DocuSign links, a DocuSign logo attached, from an untrusted sender.

Read More

Calendar invite contains a link to either a free file host or free subdomain host, and the resulting webpage contains another link to an open redirect.

Read More

HTML attachmemt contains a base-64 encoded executable.

Read More

This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns.

Read More

Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.

Read More

Attached archive contains an HTLM file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.

Read More

Impersonation of Outlook.com. Senders with "outlook.com" in the subdomain have been observed sending fake account notifications.

Read More

Impersonation of the cloud provider Digital Ocean.

Read More

Message contains use of the Google Web Light open redirect. Google Web Light was sunset on December 19 2022.

Read More

Impersonation of Netflix.

Read More

Recursively scans files and archives to detect embedded EXE files (with an MZ header).

According to The Record, on June 7, 2021, the Ukrainian Secret Service attributed an attack that used this technique to the "special services of the Russian Federation".

The spear-phishing operation urged recipients to download a RAR archive included in the email, which, when decompressed, would drop an EXE file with a double extension (filename.pdf.exe) that tried to pass as a PDF file.

Read More

Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites.

Read More

Attachment contains a VBA macro from a sender your organization has never sent an email to.

Sender is using a display name that matches the display name of someone in your organization.

VBA macros are a common phishing technique used to deploy malware.

Read More

RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)

Read More

Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)

Read More

Advance Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents.

Read More

Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from an untrusted sender.

Read More

This rule detects unsolicited messages where the recipient matches the sender address and no other recipients are identified. The reply-to address does not match the sender, and is a freemail with no links in the body. This a common combination of techniques used by low level BEC threats.

Read More

The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from an untrusted sender.

Read More

Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document.

Read More

HTML attachment is small and contains a recipients email address.

Read More

Detects job scam attempts by analyzing the message body text from an unsolicited sender.

Read More

Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders.

Read More

Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.

Read More

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

Read More

The return-path header is a .ru TLD from an untrusted sender.

Read More

Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.

Read More

Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.

Read More

This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE.

Successful exploitation can bypass built-in Outlook protections for malicious links embedded in messages by using the file:// protocol and an exclamation mark to URLs pointing to attacker-controlled servers."

Read More

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

Read More

Recursively scans archives and Office documents to detect remote document template injection.

Read More

This rule detects supplier impersonation by checking for: similar linked domains to the sender, non-freemail senders using freemail infrastructure, sender domains less than 90 days old, unsolicited communication or no prior interaction with the reply-to address, and a suspicious body.

Read More

Attached Office file contains suspicious function calls or known malicious file path pattern.

Read More

Attached HTML file contains references to the recipients email address, indicative of credential phishing, and suspicious Javascript patterns.

Read More

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Read More

This message detects BEC/Fraud Lure's attempting to solicit the victim to pivot out of band via a freemail address in the body.

Read More

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Read More

Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.

Read More

This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish between legitimate Google AMP pages and potential malicious usage.

Read More

The PDF attachment was created with a Python-based script. The PDF attachment also contains one or more links. These techniques were used by PikaBot, among others.

Read More

Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.

Read More

This rule detects QR codes in EML attachments that return a phishing disposition when analyzed, or are leveraging a known open redirect.

Read More

Attached HTML file does not contain any HTML other than a