- Content analysis
Detection Method: Content analysis
Content analysis looks at the language and structure of a message to identify signs of phishing, social engineering, and other malicious intent. Instead of scanning for keywords, this method uses natural language understanding (NLU) to detect meaning, intent, and tone across the message.
Content analysis helps detect:
- BEC attempts with urgent messages from executive impersonators
- Credential phishing disguised as login or document notifications
- Callback scams posing as account renewals or fake support
- Extortion threats or blackmail messages
- Financial or personal data requests in suspicious contexts
- Fake job offers targeting employees
- Invoice fraud, payroll fraud, and more
For example, a phishing email may impersonate a CFO asking for a wire transfer. Content analysis can flag the urgent tone, financial context, and impersonation attempt.
Blog Posts
Hiding a $50,000 BEC financial fraud in a fake email thread
Callback phishing via invoice abuse and distribution list relays
Hidden credential phishing within EML attachments
Living Off the Land: Credential Phishing via Docusign abuse
Living Off the Land: Callback Phishing via Docusign comment
Adversarial ML: Extortion via LLM Manipulation Tactics
Fake invoice used to conduct $16,800 BEC attempt
QR Code Phishing: Decoding Hidden Threats
Call Me Maybe? The Rise of Callback Phishing Emails
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
Attack Types (5):
Tactics & Techniques (8):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Xero Infrastructure Abuse | 6h ago May 23rd, 2025 | Sublime Security | /feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3 | |
Reconnaissance: All recipients cc/bcc'd or undisclosed | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/reconnaissance-all-recipients-ccbccd-or-undisclosed-420f60d3 | |
Reconnaissance: Large unknown recipient list | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/reconnaissance-large-unknown-recipient-list-24783a28 | |
Callback phishing via Intuit service abuse | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Corporate Services Impersonation Phishing | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
Attachment: Adobe image lure in body or attachment with suspicious link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
EML attachment with credential theft language (unknown sender) | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
ClickFunnels link infrastructure abuse | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Brand Impersonation: Zoom | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Brand impersonation: Microsoft | 8d ago May 15th, 2025 | @amitchell516 | /feeds/core/detection-rules/brand-impersonation-microsoft-6e2f04e6 | |
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329 | |
Spam: Attendee List solicitation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/spam-attendee-list-solicitation-69715b62 | |
Fake email quarantine notification | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/fake-email-quarantine-notification-73f26a3d | |
Salesforce Infrastructure Abuse | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70 | |
Link: Display Text Matches Subject Line | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0 | |
Brand impersonation: Microsoft with low reputation links | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Credential phishing: Engaging language and other indicators (untrusted sender) | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
Microsoft Device Code Phishing | 16d ago May 7th, 2025 | @ajpc500 | /feeds/core/detection-rules/microsoft-device-code-phishing-61f3ae67 | |
Link: Direct POWR.io Form Builder with Suspicious Patterns | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93 | |
Brand Impersonation: Microsoft Teams Invitation | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 |