Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.

Read More

Detects macro-enabled files that contain embedded MHT (MIME HTML) content, which is commonly used to hide malicious code through file format manipulation.

Read More

This rule detects messages with unscannable links to Vercel infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Read More

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Read More

This rule detects messages with unscannable links to cloudflare infrastructure with suspicious indicators in the subject or display name from an unsolicited sender.

Read More

Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.

Read More

Malformed URL prefix is a technique used to evade email security scanners.

Read More

A PDF or Office document contains suspicious URLs that lead to Cloudflare-protected pages with turnstile CAPTCHA gates. The sender uses deceptive display names and subjects indicating urgency or authority.

Read More

Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Read More

Sender is using a display name that matches the display name of someone in your $org_vips list.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.

Read More

Detects when a sender using a free email provider includes a reply-to address from a different free email provider, which is a common social engineering tactic.

Read More

Message contains use of the Dell open redirect, but the sender is not Dell.

Read More

Message contains use of the Ticketmaster open redirect, but the sender is not Ticketmaster. This has been exploited in the wild.

Read More

Detects messages from Zoom Docs in which the document originates from a newly observed email address. The email address is extracted from the body message.

Read More

Detects URLs linking to Keap App contact us, which has been used to host malicious content due to its trusted domain status and product capabilities

Read More

Message includes a single link to Zoom Docs, with no other links to zoom and originates from a sender outside the Zoom organization

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Read More

Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.

Read More

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Read More

Detects URLs linking to Gamma App presentation mode, which has been used to host malicious content due to its trusted domain status and presentation capabilities

Read More

Identifies messages appearing to come from Adobe Sign signature notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Adobe services while attempting to establish unauthorized communication channels.

Read More

Detects messages from HelloSign in which the document originates from a newly observed email address. The email address is extracted from across multiple message components, including HTML body templates and email header fields.

Read More

Detects HTML or SVG files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within code comments.

Read More

This Attack Surface Reduction (ASR) rule matches on SurveyMonkey Surveys with recently registered reply-to domains.

Read More

This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.

Read More

Detects messages from services that write the true sender to the reply-to field, where the sender has no prior legitimate message history and is newly registered. Indicative of service abuse.

Read More

Detects emails containing links using Linkedin '/slink?code=xxxxx' open redirect where the email has not come from Linkedin.com

Read More

DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization.

Read More

This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization.

Read More

This Attack Surface Reduction (ASR) rule matches on Dropbox notifications with recently registered reply-to domains.

Read More

Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels.

Read More

This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains.

Read More

DocuSign shares with new reply-to addresses have been seen in recent attacks.

Read More

HTML attachment (or HTML attachment in attached email) is small and contains a recipients email address.

Read More

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Read More

Message contains use of the Samsung open redirect, but the sender is not Samsung.

Read More

Detects when a sender links to a Sharepoint file where the subdomain significantly differs from the sender's domain. The rule checks for OneNote, PDF, or unknown file types and includes various domain validation checks.

Read More

This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.

Read More

This rule detects Google Drive links that use the direct download URL pattern which automatically downloads files when clicked. This pattern is frequently used by threat actors to distribute malware.

The links are formatted like: drive.google.com/uc?id=FILE_ID&export=download

These links skip the preview page and immediately download the file to the user's device, which can be dangerous for recipients. Threat actors exploit this pattern to directly distribute malware while appearing to share legitimate content from a trusted service.

Read More

Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication.

Read More

This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, QR codes, or filenames that match recipient information. Limited to three attachments and validates sender authenticity. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.

Read More

Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.

Read More

Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.

Read More

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Read More

A file sharing link in the body sent from a suspicious sender domain.

Read More

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

Read More

A Google Drive sharing notification containing a reply-to address from a recently registered domain (less than 30 days old). The reply-to domain does not match any organizational domains.

Read More

This rule identifies messages where links use typosquatting or lookalike domains similar to the sender domain, with at least one domain being either unregistered or recently registered (≤90 days). The messages must also contain indicators of business email compromise (BEC), credential theft, or abusive language patterns like financial terms or polite phrasing such as kindly. This layered approach targets phishing attempts combining domain deception with manipulative content

Read More

This rule detects unsolicited messages containing a mix of Cyrillic and Latin characters in the subject or sender's name while excluding emails from Russian domains and specific Google Calendar notification bounce emails.

Read More

This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains.

Read More

Message contains a suspicious Recipients pattern, a link that uses a free subdomain provider, and has credential theft language on the linked page.

Read More

Detects calendar (.ics) files that do not follow RFC standards by lacking required UID identifiers while containing specific calendar components (VTODO, VJOURNAL, VFREEBUSY, or VEVENT). Forged ICS calendar invites can be spoofed to seemingly originate from any sender.

Read More

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

Read More

This rule identifies potential impersonation attempts involving the local part of an $org_vip email address. Specifically, it checks for cases where the local part of an $org_vip email (e.g., local_part@domain.com) appears with a different domain (e.g., local_part@foreigndomain.com). Additionally, the rule flags messages that match an $org_vip address exactly but fail authentication.

Read More

This attack surface reduction rule matches on messages from Adobe which were sent by an email address (as determined by the sender display name) which doesn't appear to have a relationship with the recipient organization.

Read More

Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.

Read More

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

Read More

Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes.

Read More

This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.

Read More

Message contains use of the VK open redirect, but the sender is not VK. This has been exploited in the wild.

Read More

Detects messages with undisclosed recipients, containing links to free subdomain hosts

Read More

Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Read More

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.

False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

Read More

Message contains a link that uses a free subdomain provider, and has a login or captcha on the page.

Read More

A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited.

Read More

Shortened link is blocked or gated by bit.ly. Indicator of malicious email.

Read More

Detects links in the body of an email where the linked domain is less than 10 days old from untrusted senders.

Read More

Looks for use of the YouTube open redirect coming from someone other than YouTube.

Read More

Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.

Read More

This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.

Read More

Message contains use of the Google Web Light open redirect. Google Web Light was sunset on December 19 2022.

Read More

RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)

Read More

The return-path header is a .ru TLD from an untrusted sender.

Read More

Recursively scans archives and Office documents to detect remote document template injection.

Read More

Attached Office file contains suspicious function calls or known malicious file path pattern.

Read More

The body contains a link to a domain with Punycode characters to hide the true URL destination, or contains non-printable ASCII content.

Read More

Looks for use of the Panera Bread open redirect coming from someone other than Panera.

Read More

Message contains use of Slack's open redirect but the sender is not Slack.

Read More

Message contains use of the click.snapchat.com open redirect.

Read More

Javascript contains identifiers or strings that may attempt to execute files.

Read More

Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. Use if receiving encrypted attachments is not normal behavior in your environment.

Read More

Message contains a notion link that contains suspicious terms. You may need to deactivate or fork this rule if your organization uses Notion.

Read More

Sender is using a disposable email service and no one in our organization has ever sent them an email.

Read More

Recursively scans files and archives to detect encrypted zip files.

Read More

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Read More

Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.

Read More

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

Read More

Recursively scans files and archives to detect RDP connection files.

Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.

Read More