Detection Method: Header analysis

Header analysis inspects the metadata in message headers to find suspicious patterns, anomalies, or inconsistencies that could indicate phishing, spoofing, or other types of malicious activity. It looks at various header fields like routing information, authentication results, and sender verification data to help spot potential threats.
This includes sender authentication headers like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) results to verify the sender's legitimacy. It also checks how the email traveled through mail servers, looking for any unusual routing that might suggest tampering.
Header analysis can detect:
  • Email spoofing, where attackers forge the sender’s address to appear legitimate
  • Mismatched or inconsistent sender details
  • Suspicious return paths that don’t match the expected sender
  • Unusual routing patterns that stand out from normal email flow
  • Authentication failures that signal potential impersonation attempts
For example, attackers might try to forge email headers to make phishing emails appear as if they’re coming from a trusted source like your bank or your company’s internal email. Header analysis helps you catch these attempts by identifying mismatches between the displayed sender and the actual sending server.
Blog Posts
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Attack Types (7):
Credential Phishing
Extortion
Malware/Ransomware
Callback Phishing
BEC/Fraud
Spam
Reconnaissance
Tactics & Techniques (21):
Impersonation: Brand
Social engineering
Spoofing
Evasion
Lookalike domain
QR code
Free file host
Free subdomain host
Open redirect
Out of band pivot
Free email provider
Encryption
PDF
Image as content
Impersonation: Employee
Impersonation: VIP
Scripting
HTML smuggling
Exploit
OneNote
Macros
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Service abuse: SendGrid impersonation via Sendgrid from new sender
14d ago
Dec 19th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Header analysis
Sender analysis
/feeds/core/detection-rules/service-abuse-sendgrid-impersonation-via-sendgrid-from-new-sender-aa5d18ca
Extortion / sextortion (untrusted sender)
14d ago
Dec 19th, 2025
Sublime Security
Extortion
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb
Brand impersonation: Google Drive fake file share
14d ago
Dec 19th, 2025
Sublime Security
Credential Phishing
Malware/Ransomware
Impersonation: Brand
Social engineering
Content analysis
Header analysis
URL analysis
Computer Vision
/feeds/core/detection-rules/brand-impersonation-google-drive-fake-file-share-b424a941
Brand Impersonation: ShareFile
14d ago
Dec 19th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Evasion
Lookalike domain
Header analysis
Content analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-sharefile-f8330307
Service abuse: Monday.com infrastructure with phishing intent
15d ago
Dec 18th, 2025
Sublime Security
Credential Phishing
Evasion
Social engineering
QR code
Content analysis
File analysis
Header analysis
QR code analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/service-abuse-mondaycom-infrastructure-with-phishing-intent-a346e3b1
Service abuse: Google application integration redirecting to suspicious hosts
16d ago
Dec 17th, 2025
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
Free file host
Free subdomain host
Open redirect
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/service-abuse-google-application-integration-redirecting-to-suspicious-hosts-473d3247
Brand impersonation: State Farm
16d ago
Dec 17th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Spoofing
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-state-farm-bcf7eba0
Callback phishing via Microsoft comment
17d ago
Dec 16th, 2025
Sublime Security
Callback Phishing
Impersonation: Brand
Out of band pivot
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/callback-phishing-via-microsoft-comment-8346c7b9
Salesforce infrastructure abuse
17d ago
Dec 16th, 2025
Sublime Security
Credential Phishing
Evasion
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70
Credential phishing: Suspicious e-sign agreement document notification
18d ago
Dec 15th, 2025
Sublime Security
Credential Phishing
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis
Sender analysis
/feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8
Brand impersonation: Microsoft Teams invitation
18d ago
Dec 15th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Deceptive Dropbox mention
18d ago
Dec 15th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Free file host
Free subdomain host
Social engineering
Header analysis
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/deceptive-dropbox-mention-58a107bc
Credential phishing: Engaging language and other indicators (untrusted sender)
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
Free email provider
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2
Credential phishing: Suspicious subject with urgent financial request and link
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/credential-phishing-suspicious-subject-with-urgent-financial-request-and-link-056464f4
QR Code with suspicious indicators
21d ago
Dec 12th, 2025
Sublime Security
Credential Phishing
QR code
Social engineering
Content analysis
Header analysis
Computer Vision
Natural Language Understanding
QR code analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/qr-code-with-suspicious-indicators-04f5c34f
Brand impersonation: LinkedIn
22d ago
Dec 11th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-linkedin-1a0cde6d
Brand impersonation: Adobe Sign with suspicious indicators
22d ago
Dec 11th, 2025
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a
Link: Self-sender with sender org in subject and credential theft indicator
22d ago
Dec 11th, 2025
Sublime Security
Credential Phishing
Social engineering
Evasion
Natural Language Understanding
Content analysis
Sender analysis
URL analysis
Header analysis
/feeds/core/detection-rules/link-self-sender-with-sender-org-in-subject-and-credential-theft-indicator-bfa9aa08
Link: Base64 encoded recipient address in URL fragment with subject hash
22d ago
Dec 11th, 2025
Sublime Security
Credential Phishing
Encryption
Evasion
Social engineering
Content analysis
URL analysis
Header analysis
/feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8
Attachment: Compensation review lure with QR code
23d ago
Dec 10th, 2025
Sublime Security
Credential Phishing
PDF
QR code
Social engineering
File analysis
Optical Character Recognition
QR code analysis
Natural Language Understanding
Sender analysis
Header analysis
/feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c
Page 1 of 17