EXPLORE DETECTIONS
Suspicious sender display name with long procedurally generated text blob
This rule identifies sender display names containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.
Suspicious SharePoint file sharing
This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.
Suspicious subject with long procedurally generated text blob
This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters.
Suspicious VBA macros from untrusted sender
Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
Targeting: Specific AOL address
Message targeting a specific AOL address (me@aol.com) with a single recipient.
Tax Form: W-8BEN solicitation
Detects messages containing references to W-8BEN tax forms, commonly used in tax-related fraud schemes targeting individuals and businesses.
Truth Social infrastructure abuse via link redirect
Email contains a Truth Social link (links.truthsocial.com) but does not originate from a Truth Social domain. This is a known malicious tactic.
Twitter infrastructure abuse via link shortener
Email contains Twitter shortened link (t.co) but does not originate from a Twitter domain. This is a known malicious and spam tactic.
Unicode QR code
Identifies messages leveraging Unicode block characters (between U+2580 - U+259F) arranged on consecutive lines to create QR codes. The rule inspects both the overall quantity and specific formatting of these characters, while considering the sender's historical behavior and reputation.
Unusually long local part from untrusted sender address
Detects messages with unusually long local address parts (before the @) from senders outside trusted domains and without verified authentication.
URI protocol handler: search-ms
Detects HTML attachments using the search-ms URI protocol handler, a technique observed ITW to deliver malicious payloads. This rule can be updated to analyze links in PDF attachments and message bodies
URL shortener blocklist
Message contains a URL shortener that is often used for phishing and infrequently used legitimately in an email environment.
URL shortener from suspicious sender TLD
Message contains a URL shortener and the sender's domain's TLD is suspicious.
URL with Unicode U+2044 (⁄) or U+2215 (∕) characters
Body of the message, or any links, contain the Unicode U+2044 (⁄) or U+2215 (∕) characters inside a URL.
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
Detects URLhaus domains submitted by trusted reporters in message bodies or pdf attachments
Vendor compromise: GovDelivery message with suspicious link
Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.
Vendor impersonation: Thread hijacking with typosquat domain
Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation.
Venmo payment request abuse
A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
VIP / Executive impersonation (strict match, untrusted)
Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
VIP / Executive impersonation in subject (untrusted)
Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before. The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender. Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
VIP Impersonation via Google Group relay with suspicious indicators
Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.
VIP impersonation with BEC language (near match, untrusted sender)
Sender is using a display name that matches the display name of someone in your $org_vips list. Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body from untrusted senders.
VIP impersonation with charitable donation fraud
Fake email thread shows a VIP requesting a donation to a charity, usually addressed to Accounts Payable departments. Can result in monetary loss.
VIP impersonation with invoicing request
This rule detects emails attempting to impersonate a VIP, it leverages NLU to determine if there is invoicing verbiage in the current thread, and requires request language.