Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.

The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list

This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any message that matches the protected list of display names from a first-time or unsolicited sender.

Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

Sender is using a display name that matches the display name of someone in your $org_vips list.

Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.

Possible attempt to impersonate Sublime Security executives.