Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

There's a large number of recipients that are unknown to the organization, no links or attachments, and a short body and subject from an unknown sender.

Read More

Recon messages, a form of deliverability testing, are used to validate whether a recipient address is valid or not, potentially preceding an attack.

All recipients are bcc'd or undisclosed, with no links or attachments, and a short body and subject from an unknown sender.

Read More

A link in the body of the message downloads an archive containing a DMG file. The message is not from a common or trusted sender and is unsolicited.

Read More

Message contains use of the Ticketmaster open redirect, but the sender is not Ticketmaster. This has been exploited in the wild.

Read More

PDF contains embedded Javascript.

Read More

Detects free file host links sent by freemail senders with a short body and NLU indicators.

Read More

Recursively scans files and archives to detect encrypted zip files.

Read More

The return-path header is a .ru TLD and first-time sender.

Read More

Shortened link is blocked or gated by bit.ly. Indicator of malicious email.

Read More

The sender is a known org domain and doesn't use a known org display name. SPF and DMARC verdicts are "none", which means the domain is spoofable. We then look for a combination of other suspicious signals such as a suspicious link or suspicious language.

False Positives may occur with automated sending systems that send rich text emails, in which case we can add additional signals or exclude those.

Read More

Potential HTML smuggling attacks from new senders. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

Detects links in the body of an email where the linked domain is less than 10 days old from first-time senders.

Read More

Detects inbound emails where the sender domain is less than 10 days old from first-time senders.

Read More

Potential HTML smuggling attacks in unsolicited messages. Use if passing HTML files is not normal behavior in your environment. This rule may be expanded to inspect HTML attachments for suspicious code.

Read More

Recursively scans archives to detect HTML files from unsolicited senders.

HTML files can be used for HTML smuggling and embedded in archives to evade detection.

Read More

Recursively scans archives to detect disallowed file types. File extensions can be detected within password-protected archives.

Attackers often embed malicious files within archives to bypass email gateway controls.

Read More

Detects HTML files in EML attachments from unsolicited senders.

Reduces attack surface against HTML smuggling.

Read More

Javascript contains identifiers or strings that may attempt to execute files.

Read More

Detects messages with undisclosed recipients, containing links to free subdomain hosts

Read More

Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders.

Read More

Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Read More

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

Read More

Recursively scans files and archives to detect RDP connection files.

Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.

Read More