The sender is a known org domain and doesn't use a known org display name.
SPF and DMARC verdicts are "none", which means the domain is spoofable.
We then look for a combination of other suspicious signals such as a suspicious
link or suspicious language.
False Positives may occur with automated sending systems that send rich text emails,
in which case we can add additional signals or exclude those.
Potential HTML smuggling attacks in unsolicited messages.
Use if passing HTML files is not normal behavior in your environment.
This rule may be expanded to inspect HTML attachments for suspicious code.
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain.
This rule identifies instances of Google Translate links from unsolicited senders.
Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.
Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.