Detection Method: Header analysis

Header analysis inspects the metadata in message headers to find suspicious patterns, anomalies, or inconsistencies that could indicate phishing, spoofing, or other types of malicious activity. It looks at various header fields like routing information, authentication results, and sender verification data to help spot potential threats.
This includes sender authentication headers like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) results to verify the sender's legitimacy. It also checks how the email traveled through mail servers, looking for any unusual routing that might suggest tampering.
Header analysis can detect:
  • Email spoofing, where attackers forge the sender’s address to appear legitimate
  • Mismatched or inconsistent sender details
  • Suspicious return paths that don’t match the expected sender
  • Unusual routing patterns that stand out from normal email flow
  • Authentication failures that signal potential impersonation attempts
For example, attackers might try to forge email headers to make phishing emails appear as if they’re coming from a trusted source like your bank or your company’s internal email. Header analysis helps you catch these attempts by identifying mismatches between the displayed sender and the actual sending server.
Blog Posts
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Attack Types (7):
Credential Phishing
BEC/Fraud
Extortion
Callback Phishing
Spam
Malware/Ransomware
Reconnaissance
Tactics & Techniques (21):
Social engineering
Impersonation: Brand
Evasion
Spoofing
Free email provider
Lookalike domain
Impersonation: Employee
QR code
Out of band pivot
Impersonation: VIP
Free file host
PDF
Image as content
Free subdomain host
HTML smuggling
Macros
Exploit
Open redirect
Encryption
OneNote
Scripting
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link: Personal SharePoint with invalid recipients and credential theft language
16m ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/link-personal-sharepoint-with-invalid-recipients-and-credential-theft-language-79d5403d
Brand impersonation: File sharing notification with template artifacts
16m ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Evasion
HTML analysis
Computer Vision
Content analysis
Header analysis
/feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611
Service abuse: Adobe legitimate domain with document approval language
15h ago
Jan 23rd, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/service-abuse-adobe-legitimate-domain-with-document-approval-language-237f4da4
Extortion / sextortion (untrusted sender)
20h ago
Jan 22nd, 2026
Sublime Security
Extortion
Social engineering
Spoofing
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb
BEC/Fraud: Romance scam
23h ago
Jan 22nd, 2026
Sublime Security
BEC/Fraud
Free email provider
Social engineering
Content analysis
Header analysis
/feeds/core/detection-rules/becfraud-romance-scam-0243cdaa
Brand impersonation: Dropbox
1d ago
Jan 22nd, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
File analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Callback phishing via calendar invite
1d ago
Jan 22nd, 2026
Sublime Security
Callback Phishing
Social engineering
Evasion
File analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360
Brand impersonation: AuthentiSign
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Impersonation: Brand
Lookalike domain
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-authentisign-445a8c8b
Brand impersonation: Blockchain[.]com
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-blockchaincom-0d85e555
Link: Self-sent message with quarterly document review request
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Evasion
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-self-sent-message-with-quarterly-document-review-request-3c42cec6
Job scam with specific salary pattern
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Natural Language Understanding
Header analysis
Sender analysis
/feeds/core/detection-rules/job-scam-with-specific-salary-pattern-af7f9e21
Impersonation: Internal corporate services
3d ago
Jan 20th, 2026
Sublime Security
Credential Phishing
Impersonation: Employee
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/impersonation-internal-corporate-services-3cd04f33
Brand impersonation: Xodo Sign
7d ago
Jan 16th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-xodo-sign-e6139052
Brand impersonation: Quickbooks
8d ago
Jan 15th, 2026
Sublime Security
Callback Phishing
Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-quickbooks-4fd791d1
Subject: Suspicious bracketed reference
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Evasion
Impersonation: Brand
Header analysis
Content analysis
/feeds/core/detection-rules/subject-suspicious-bracketed-reference-663dbce4
Brand impersonation: SendGrid
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Spam
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f
Sendgrid onmicrosoft.com domain phishing
11d ago
Jan 12th, 2026
@ajpc500
Credential Phishing
Evasion
Header analysis
/feeds/core/detection-rules/sendgrid-onmicrosoftcom-domain-phishing-271f4ae9
Attachment: HTML smuggling - QR Code with suspicious links
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
QR code
Computer Vision
Header analysis
Natural Language Understanding
QR code analysis
Sender analysis
URL analysis
URL screenshot
/feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d
Callback phishing via DocuSign comment
11d ago
Jan 12th, 2026
Sublime Security
Callback Phishing
Evasion
Impersonation: Brand
Out of band pivot
Social engineering
Content analysis
Computer Vision
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/callback-phishing-via-docusign-comment-48aec918
Russia return-path TLD (untrusted sender)
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Header analysis
Sender analysis
/feeds/core/detection-rules/russia-return-path-tld-untrusted-sender-588b3954
Page 1 of 17