Sublime Security Attack Spotlight: Social Engineering attack that employs command and text injection in the message body to evade LLM detection.

Adversarial ML: Extortion via LLM Manipulation Tactics

sentry

click_tracking

disable_posthog_tracking

suborganization_creation

microsoft_non_admin_onboarding

google_non_admin_onboarding

hide_hip_progress_bar

expose_inline_message_meta

safelinks_click_tracking

show_enable_inline_processing

mlv_actions_filter

attack_score_likely_benign

search_recipients_field

self_serve_password_reset

rlv_auto_review

rule_effectiveness_auto_review

m365_mailbox_counts

ms365_cert_based_auth

mdv_redirect_original_canonical_id_to_cluster_id

ignore_asr_priority_counts

priority_view_overview

mql_as_graymail

mdv_summary_card

mql_as_spam

self_serve_fix_gmail_reports

overview_v2_fe

overview_v2_labels

message_group_filters

hip_mlv_sticky_table_revalidation

remediation_in_progress_ui

mdv_large_insight_cells

rule_exclusions_in_elv

message_groups_best_match

inline_webhook_alerts

force_disable_all_frontend_slurp_restrictions

onboarding_abuse_mailbox_route

mdv_asa

custom_rbac_ui

mdv_asa_button_all_messages

mdv_asa_overview_card

new_rule_detail_view

public_label_detail_view

asa_full_response

disable_mailboxes_ui

asa_in_eml_analyzer_ui

email_bomb_mdv

user_reports_top_reporters_ui

user_reports_sankey_ui

email_bomb

custom_webhook_payload_ui

improved_mailbox_management

oletools_output_ui

user_reports_top_labels_ui

stratum_mlvs

edit_default_list_ui

mdv_feedback_modal

Detects encrypted Microsoft Office document attachments (Word, Excel, PowerPoint, Access) from untrusted senders or high-trust senders failing DMARC authentication, which may indicate an effort to bypass security scanning.

Encrypted Microsoft Office Files From Untrusted Senders

Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.

Extortion / Sextortion in Attachment From Untrusted Sender

Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.


Extortion / sextortion (untrusted sender)

Detects inbound messages from senders using Vanguard-like display names or domains, excluding legitimate Vanguard domains and authenticated communications. Additional checks ensure the sender is not from trusted organizational domains or high-trust sender domains with proper authentication.

Brand Impersonation: Vanguard

Detects messages claiming to be from WeTransfer that contain suspicious indicators, including misspelled domains, non-standard TLDs, suspicious file reference numbers, and French language variations. Excludes legitimate WeTransfer traffic with valid DMARC authentication.

Brand Impersonation: WeTransfer

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Encrypted Microsoft Office Files From Untrusted Senders	14d ago Jun 4th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7
Extortion / Sextortion in Attachment From Untrusted Sender	16d ago Jun 2nd, 2025 UTC	Sublime Security	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c
Extortion / sextortion (untrusted sender)	16d ago Jun 2nd, 2025 UTC	Sublime Security	Extortion Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb
Brand Impersonation: Vanguard	2mo ago Apr 11th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Impersonation: Brand Natural Language Understanding Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-vanguard-3bd048fe
Brand Impersonation: WeTransfer	3mo ago Mar 12th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Impersonation: Brand Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-wetransfer-e37885ad

Attack Type: Extortion