Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Attack Type: BEC/Fraud
Business Email Compromise (BEC) and fraud attacks rely on deception and social engineering. Instead of using links or attachments, attackers impersonate trusted figures like coworkers, executives, or vendors to trick you into sharing sensitive information or transferring funds. These attacks can bypass traditional security tools because the emails often seem harmless.
Expect fake invoices, urgent wire transfer requests, or a vendor asking you to update payment details. The first email is usually brief—just enough to start a conversation. The attacker might spoof a display name, reply to an old thread, or ask you to continue the conversation via personal email or phone. That is often the giveaway.
Even though these attacks may appear low-effort, the impact can be significant. They can lead to wire fraud, compliance violations, and damage to the organization's reputation. Organizations lose billions to BEC attacks each year.
Blog Posts
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Combating GenAI Email Attacks with BERT LLM · Blog · Sublime Security
Payroll Fraud via LLM-Generated Emails · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Unmasking BEC attacks using Natural Language Understanding + MQL · Blog · Sublime Security
Tactics & Techniques (19):
Detection Methods (16):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail | 14h ago Mar 4th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-hungerrush-domain-with-sendgrid-tracking-targeting-protonmail-73f62e74 | |
BEC with unusual reply-to or return-path mismatch | 2d ago Mar 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Fake warning banner using confusable characters | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/fake-warning-banner-using-confusable-characters-179ee1ff | |
VIP impersonation with w2 request with reply-to mismatch | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/vip-impersonation-with-w2-request-with-reply-to-mismatch-e7e73fad | |
VIP / Executive impersonation (strict match, untrusted) | 8d ago Feb 25th, 2026 | Sublime Security | /feeds/core/detection-rules/vip-executive-impersonation-strict-match-untrusted-e42c84b7 | |
Tax Form: W-8BEN solicitation | 10d ago Feb 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/tax-form-w-8ben-solicitation-a64edb69 | |
Reconnaissance: Email address harvesting attempt | 10d ago Feb 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/reconnaissance-email-address-harvesting-attempt-bb31efbc | |
Link: WordPress login page with Blogspot Binance scam | 16d ago Feb 17th, 2026 | Sublime Security | /feeds/core/detection-rules/link-wordpress-login-page-with-blogspot-binance-scam-909dfae5 | |
Link: Hotel booking spoofed display URL | 16d ago Feb 17th, 2026 | Sublime Security | /feeds/core/detection-rules/link-hotel-booking-spoofed-display-url-96deeec7 | |
File sharing link with a suspicious subject | 16d ago Feb 17th, 2026 | Sublime Security | /feeds/core/detection-rules/file-sharing-link-with-a-suspicious-subject-a306e2a6 | |
Credential phishing: Generic document sharing | 19d ago Feb 14th, 2026 | Sublime Security | /feeds/core/detection-rules/credential-phishing-generic-document-sharing-9f0e1d2c | |
Russia return-path TLD (untrusted sender) | 20d ago Feb 13th, 2026 | Sublime Security | /feeds/core/detection-rules/russia-return-path-tld-untrusted-sender-588b3954 | |
Credential phishing: Tax form impersonation with payment request | 20d ago Feb 13th, 2026 | Sublime Security | /feeds/core/detection-rules/credential-phishing-tax-form-impersonation-with-payment-request-717695cf | |
PayPal invoice abuse | 22d ago Feb 11th, 2026 | Sublime Security | /feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4 | |
Reconnaissance: Empty subject with mismatched reply-to from new sender | 27d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/reconnaissance-empty-subject-with-mismatched-reply-to-from-new-sender-12f4bd45 | |
Canva infrastructure abuse | 27d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c | |
Attachment: Legal themed message or PDF with suspicious indicators | 28d ago Feb 5th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: PDF contains W9 or invoice YARA signatures | 29d ago Feb 4th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-contains-w9-or-invoice-yara-signatures-9a8e8a98 | |
Suspicious display name: Gmail sender with engaging languages | 30d ago Feb 3rd, 2026 | Sublime Security | /feeds/core/detection-rules/suspicious-display-name-gmail-sender-with-engaging-languages-82ca0ff1 | |
Impersonation: Executive using numbered local part | 1mo ago Jan 30th, 2026 | Sublime Security | /feeds/core/detection-rules/impersonation-executive-using-numbered-local-part-8e005a22 |
Page 1 of 8