EXPLORE
Sign In
← Back to Explore
sublimeExclusion

Fable Security phishing simulation

Identifies phishing simulations sent by Fable and excludes the message from live analysis.

Detection Query

type.inbound
and any(headers.ips, .ip in ("50.31.205.248", "159.183.27.69"))
and any(headers.hops,
        any(.fields, .name =~ "X-Fable-Phishing-Simulation" and .value == "1")
)
and headers.auth_summary.dmarc.pass

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Fable Security phishing simulation"
description: "Identifies phishing simulations sent by Fable and excludes the message from live analysis."
type: "exclusion"
source: |
  type.inbound
  and any(headers.ips, .ip in ("50.31.205.248", "159.183.27.69"))
  and any(headers.hops,
          any(.fields, .name =~ "X-Fable-Phishing-Simulation" and .value == "1")
  )
  and headers.auth_summary.dmarc.pass