Sublime Core Feed

BEC/Fraud often involves deceptive tactics that don't require malicious content as well as the impersonation of employees, VIPs, vendors, or other trusted entities to deceive employees into transferring funds or sharing sensitive data. Lacking malicious URLs or attachments, they exploit human vulnerabilities and rely on social engineering tactics.

Callback phishing involves the impersonation of reputable organizations to persuade victims into calling a phone number, thereby bypassing traditional email-based phishing detection. This leads to potential outcomes like fraud, data theft, identity theft, and malware distribution.

Credential phishing involves tricking victims into providing their login credentials, often through deceptive email messages and websites that mimic legitimate platforms. The stolen credentials are then used to access sensitive data or commit fraudulent activities.

Extortion involves coercing victims by holding sensitive information or assets hostage while demanding ransom or other concessions.

Malware/Ransomware involves the distribution of malicious software. Once infiltrated, this software can hijack, damage, or block access to systems, often requiring a ransom payment for data retrieval.

Attackers use reconnaissance emails to test the waters of an organization's email security defenses, verifying deliverability to intended recipients, confirming the validity of specific email addresses, and assessing the effectiveness of spam filters and other security measures in place. The information gathered from these reconnaissance activities can then be used to tailor more targeted and damaging attacks, such as credential phishing or business email compromise (BEC) attacks, with a higher chance of success.

Spam is unsolicited bulk email, primarily sent for commercial or marketing purposes.

Uses encryption to hide malicious content, making it harder for security systems to analyze and detect phishing attempts.

Refers to any deliberate effort by threat actors to obfuscate, circumvent, or bypass detection methods to ensure their malicious activities remain undetected or undeterred.

Abuses software vulnerabilities to gain unauthorized access or deliver malware to a target system.

Use of a free email provider like Gmail, capitalizing on the established reputation and ubiquity these services have in legitimate email traffic.

Abuses free file hosting services to distribute harmful files, often bypassing traditional attachment based analysis.

Creates deceptive subdomains on free hosting platforms with established reputation to impersonate legitimate websites for phishing attacks.

Uses HTML5 features to smuggle malicious code across the network and onto a victim’s system, evading traditional network based detection.

Evades traditional text based detection by putting the content of the message in an image. These images typically don’t execute code or contain scripting, but the images themselves can often be the linked element.

Involves mimicking well-known brands to deceive recipients and exploit the trust associated with those brands.

Poses as employees, managers, or internal contractors to capitalize on the recipient's trust and familiarity to manipulate or deceive them.

Poses as company VIPs to exploit the inherent trust and urgency associated with these roles, and instigate fraudulent financial transactions, manipulate internal processes, or convince employees to perform actions that undermine the security or integrity of the organization.

Abuses IPFS (InterPlanetary File System) to host and distribute phishing content, evading traditional takedown methods.

Uses ISO image files to circumvent analysis and deliver malware.

Uses LNK files to discreetly execute malicious code.

Uses domains that closely resemble legitimate domains to deceive and mislead users.

Executes malicious code, typically in Microsoft Office documents, that can be weaponized by threat actors to serve as a delivery mechanism for malware or as a foothold into a system, capitalizing on user trust in familiar attachment types.

Uses OneNote files to circumvent analysis and deliver malicious payloads or solicit credentials.

Exploits vulnerabilities in web applications that allow attackers to redirect users from a trusted site to a malicious site, often used for phishing or malware distribution.

Attempts to change communication medium (e.g. email → phone) to move to a less protected ecosystem.

Uses PDF files, often to deliver malware of embedded phishing links.

Creates deceptive URLs with unicode strings, specifically those containing special or non-English characters. Punycode can be misused to craft visually similar URL's in phishing attacks to trick users into believing they are visiting a trusted website, when they are actually being directed to a malicious one.

Uses QR Codes to direct victims to malicious websites, often leading to data theft or malware installation.

Employs scripts (e.g., JavaScript) to obfuscate attacks and make analysis more difficult.

Manipulates human psychology to trick individuals into revealing sensitive information, such as passwords or financial details.

Disguises communication from an unknown source as being from a known, trusted source, often to deceive recipients or systems.

Archive analysis involves examining the contents of compressed files or packages to detect, extract, and assess potential threats.

Computer Vision examines images embedded in messages or websites to identify visual cues that may indicate malicious intent. This includes identifying logos of reputable companies used to deceive users, fake login pages, fraudulent payment screens, and more.

Content analysis refers to the scrutiny of a message's text to detect potential threats, suspicious behavior or malicious intent.

Exif analysis refers to the scrutiny of metadata present across various file types, providing insights into attributes like authorship, timestamps, software versions, and more.

File analysis deconstructs files into their smaller components for a thorough inspection. It involves recursive processing to extract and analyze all components and internal structures, allowing the identification of malicious scripts, suspicious executables, and hidden texts.

Header analysis examines message headers for irregularities or signs of phishing tactics.

HTML analysis scans HTML code in web pages or attachments for malicious elements.

Javascript analysis examines Javascript (JS) code in message bodies, attachments, and linked pages for suspicious or known malicious elements, including basic scripts and unescaped sequences.

Macro analysis detects macros, typically embedded in Microsoft Office documents, designed to execute malicious code as a delivery mechanism for malware or to establish a foothold on a system.

Natural Language Understanding (NLU) applies Machine Learning to analyze text-based content in messages. The extracted analysis, including Tone, Intents, Tags, and keyword recognition, can be used to identify and categorize language commonly used by threat actors.

OLE (Object Linking and Embedding) analysis inspects objects in documents to identify malicious content.

Optical Character Recognition (OCR) extracts text from images, enabling analysis of scanned or image-based content.

QR code analysis identifies the type of data — URL, text, or other data types — stored within the QR code.

Sender analysis examines the sender’s details, such as domain, email address, frequency of contact, and other signals to inform decisions about the sender’s authenticity and relationship with the recipient.

Threat intelligence leverages data on known and emerging phishing threats. It can include information such as malicious URLs, domains, file hashes, IP addresses, and more.

URL analysis inspects and classifies links in message bodies or attachments. It covers various aspects such as body links, URLs, reputation, paths, and query parameters. LinkAnalysis, a type of URL analysis, submits suspicious URLs to a headless browser to resolve the effective URL and capture a screenshot for further analysis.

Screenshots of linked web pages are visually inspected for phishing content or suspicious sites.

Domain registration information is retrieved from Whois databases to detect suspicious or newly created domains.

XML files are scanned for potential phishing elements, such as scripts or embedded URLs.

Messages are evaluated for matching YARA signatures. YARA is a pattern matching language used to identify known malware families or behavior based on regular expression and textual or binary patterns.