Detection Method: Header analysis

Header analysis inspects the metadata in message headers to find suspicious patterns, anomalies, or inconsistencies that could indicate phishing, spoofing, or other types of malicious activity. It looks at various header fields like routing information, authentication results, and sender verification data to help spot potential threats.
This includes sender authentication headers like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) results to verify the sender's legitimacy. It also checks how the email traveled through mail servers, looking for any unusual routing that might suggest tampering.
Header analysis can detect:
  • Email spoofing, where attackers forge the sender’s address to appear legitimate
  • Mismatched or inconsistent sender details
  • Suspicious return paths that don’t match the expected sender
  • Unusual routing patterns that stand out from normal email flow
  • Authentication failures that signal potential impersonation attempts
For example, attackers might try to forge email headers to make phishing emails appear as if they’re coming from a trusted source like your bank or your company’s internal email. Header analysis helps you catch these attempts by identifying mismatches between the displayed sender and the actual sending server.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Brand impersonation: Squarespace
18h ago
Jul 15th, 2026
Sublime Security
Stripe invoice abuse
2d ago
Jul 14th, 2026
Sublime Security
Brand impersonation: FedEx
2d ago
Jul 14th, 2026
Sublime Security
Link: Multistage landing - Abused Adobe Acrobat hosted PDF
2d ago
Jul 14th, 2026
Sublime Security
Service abuse: Notion free-tier account impersonating VIP
2d ago
Jul 14th, 2026
Sublime Security
Brand impersonation: GoDaddy
2d ago
Jul 14th, 2026
Sublime Security
VIP impersonation: Payment handoff with VIP display name authored fake threads
3d ago
Jul 13th, 2026
Sublime Security
VIP impersonation: VIP payment redirect handoff via fake threads
3d ago
Jul 13th, 2026
Sublime Security
VIP impersonation: Fake thread with VIPs missing email metadata
3d ago
Jul 13th, 2026
Sublime Security
Link: Generic financial document with proceedural timeline template
6d ago
Jul 10th, 2026
Sublime Security
Brand impersonation: Wix
6d ago
Jul 10th, 2026
Sublime Security
Brand impersonation: Amazon
6d ago
Jul 10th, 2026
Sublime Security
Brand impersonation: AARP
7d ago
Jul 9th, 2026
Sublime Security
Brand impersonation: OpenAI with payment issues
7d ago
Jul 9th, 2026
Sublime Security
Brand impersonation: Chase Bank
7d ago
Jul 9th, 2026
Sublime Security
Observed IOC: Malicious sender email addresses
7d ago
Jul 9th, 2026
Sublime Security
VIP impersonation: VIP name within a delimited subject with fake previous threads
8d ago
Jul 8th, 2026
Sublime Security
VIP impersonation: Fabricated thread history with fake VIP recipients
8d ago
Jul 8th, 2026
Sublime Security
Brand impersonation: Quickbooks
8d ago
Jul 8th, 2026
Sublime Security
Zoom Events newsletter abuse
8d ago
Jul 8th, 2026
Sublime Security