Detection Method: Content analysis

Content analysis looks at the language and structure of a message to identify signs of phishing, social engineering, and other malicious intent. Instead of scanning for keywords, this method uses natural language understanding (NLU) to detect meaning, intent, and tone across the message.
Content analysis helps detect:
  • BEC attempts with urgent messages from executive impersonators
  • Credential phishing disguised as login or document notifications
  • Callback scams posing as account renewals or fake support
  • Extortion threats or blackmail messages
  • Financial or personal data requests in suspicious contexts
  • Fake job offers targeting employees
  • Invoice fraud, payroll fraud, and more
For example, a phishing email may impersonate a CFO asking for a wire transfer. Content analysis can flag the urgent tone, financial context, and impersonation attempt.
Blog Posts
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (7):
Credential Phishing
BEC/Fraud
Extortion
Malware/Ransomware
Callback Phishing
Spam
Reconnaissance
Tactics & Techniques (26):
PDF
Social engineering
Evasion
Open redirect
Free file host
Spoofing
Impersonation: Brand
Lookalike domain
QR code
Impersonation: Employee
Free subdomain host
Out of band pivot
Free email provider
Image as content
Encryption
Exploit
Impersonation: VIP
Credential Phishing
HTML injection
HTML smuggling
Scripting
OneNote
Macros
IPFS
LNK
ISO
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Suspicious employee policy update document lure
7d ago
Dec 26th, 2025
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
Content analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Service abuse: Formester with suspicious link behavior
14d ago
Dec 19th, 2025
Sublime Security
Credential Phishing
BEC/Fraud
Open redirect
Social engineering
Free file host
Computer Vision
Content analysis
URL analysis
URL screenshot
/feeds/core/detection-rules/service-abuse-formester-with-suspicious-link-behavior-e4b74fd4
Extortion / sextortion (untrusted sender)
14d ago
Dec 19th, 2025
Sublime Security
Extortion
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb
Brand impersonation: Google Drive fake file share
14d ago
Dec 19th, 2025
Sublime Security
Credential Phishing
Malware/Ransomware
Impersonation: Brand
Social engineering
Content analysis
Header analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/brand-impersonation-google-drive-fake-file-share-b424a941
Brand Impersonation: ShareFile
14d ago
Dec 19th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Evasion
Lookalike domain
Header analysis
Content analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-sharefile-f8330307
Service abuse: Monday.com infrastructure with phishing intent
15d ago
Dec 18th, 2025
Sublime Security
Credential Phishing
Evasion
Social engineering
QR code
Content analysis
File analysis
Header analysis
QR code analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/service-abuse-mondaycom-infrastructure-with-phishing-intent-a346e3b1
Fake voicemail notification (untrusted sender)
15d ago
Dec 18th, 2025
Sublime Security
Credential Phishing
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787
Xero invoice abuse
16d ago
Dec 17th, 2025
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Brand
Impersonation: Employee
Social engineering
Natural Language Understanding
Content analysis
Sender analysis
/feeds/core/detection-rules/xero-invoice-abuse-6538c600
Self-sent fake PDF attachment with misleading link
17d ago
Dec 16th, 2025
Sublime Security
Credential Phishing
Evasion
Free subdomain host
Social engineering
Content analysis
URL analysis
Sender analysis
/feeds/core/detection-rules/self-sent-fake-pdf-attachment-with-misleading-link-8a285d2e
Callback phishing via Microsoft comment
17d ago
Dec 16th, 2025
Sublime Security
Callback Phishing
Impersonation: Brand
Out of band pivot
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/callback-phishing-via-microsoft-comment-8346c7b9
Salesforce infrastructure abuse
17d ago
Dec 16th, 2025
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70
Credential phishing: Suspicious e-sign agreement document notification
18d ago
Dec 15th, 2025
Sublime Security
Credential Phishing
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis
Sender analysis
/feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8
Business Email Compromise: Request for mobile number via reply thread hijacking
18d ago
Dec 15th, 2025
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/business-email-compromise-request-for-mobile-number-via-reply-thread-hijacking-0282f346
Attachment: Calendar file with invisible Unicode characters
18d ago
Dec 15th, 2025
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Evasion
File analysis
Content analysis
/feeds/core/detection-rules/attachment-calendar-file-with-invisible-unicode-characters-050fceac
Brand impersonation: Microsoft Teams invitation
18d ago
Dec 15th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Deceptive Dropbox mention
18d ago
Dec 15th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Free file host
Free subdomain host
Social engineering
Header analysis
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/deceptive-dropbox-mention-58a107bc
Credential phishing: Engaging language and other indicators (untrusted sender)
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
Free email provider
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2
Cyrillic vowel substitutions with suspicious subject from unknown sender
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
Evasion
Impersonation: Brand
Social engineering
Content analysis
Sender analysis
/feeds/core/detection-rules/cyrillic-vowel-substitutions-with-suspicious-subject-from-unknown-sender-10251c3c
Credential phishing: Suspicious subject with urgent financial request and link
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/credential-phishing-suspicious-subject-with-urgent-financial-request-and-link-056464f4
Brand impersonation: Wise
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/brand-impersonation-wise-01480f95
Page 1 of 21