- Header analysis
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: Header analysis
Header analysis inspects the metadata in message headers to find suspicious patterns, anomalies, or inconsistencies that could indicate phishing, spoofing, or other types of malicious activity. It looks at various header fields like routing information, authentication results, and sender verification data to help spot potential threats.
This includes sender authentication headers like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) results to verify the sender's legitimacy. It also checks how the email traveled through mail servers, looking for any unusual routing that might suggest tampering.
Header analysis can detect:
- Email spoofing, where attackers forge the sender’s address to appear legitimate
- Mismatched or inconsistent sender details
- Suspicious return paths that don’t match the expected sender
- Unusual routing patterns that stand out from normal email flow
- Authentication failures that signal potential impersonation attempts
For example, attackers might try to forge email headers to make phishing emails appear as if they’re coming from a trusted source like your bank or your company’s internal email. Header analysis helps you catch these attempts by identifying mismatches between the displayed sender and the actual sending server.
Blog Posts
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Attack Types (7):
Tactics & Techniques (21):
Page 1 of 19