- Header analysis
Detection Method: Header analysis
Header analysis inspects the metadata in message headers to find suspicious patterns, anomalies, or inconsistencies that could indicate phishing, spoofing, or other types of malicious activity. It looks at various header fields like routing information, authentication results, and sender verification data to help spot potential threats.
This includes sender authentication headers like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) results to verify the sender's legitimacy. It also checks how the email traveled through mail servers, looking for any unusual routing that might suggest tampering.
Header analysis can detect:
- Email spoofing, where attackers forge the sender’s address to appear legitimate
- Mismatched or inconsistent sender details
- Suspicious return paths that don’t match the expected sender
- Unusual routing patterns that stand out from normal email flow
- Authentication failures that signal potential impersonation attempts
For example, attackers might try to forge email headers to make phishing emails appear as if they’re coming from a trusted source like your bank or your company’s internal email. Header analysis helps you catch these attempts by identifying mismatches between the displayed sender and the actual sending server.
Blog Posts
Credential phishing Charles Schwab account holders with 2FA bypass
Hiding a $50,000 BEC financial fraud in a fake email thread
Callback phishing via invoice abuse and distribution list relays
Detecting malicious AnonymousFox email messages sent from compromised sites
Talking phish over turkey
Hidden credential phishing within EML attachments
Living Off the Land: Credential Phishing via Docusign abuse
Living Off the Land: Callback Phishing via Docusign comment
Adversarial ML: Extortion via LLM Manipulation Tactics
QR Code Phishing: Decoding Hidden Threats
Attack Types (5):
Tactics & Techniques (11):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Xero Infrastructure Abuse | 6h ago May 23rd, 2025 | Sublime Security | /feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3 | |
Link: Direct link to Zoom Docs from Non-Zoom Sender | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db | |
Reconnaissance: All recipients cc/bcc'd or undisclosed | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/reconnaissance-all-recipients-ccbccd-or-undisclosed-420f60d3 | |
Reconnaissance: Large unknown recipient list | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/reconnaissance-large-unknown-recipient-list-24783a28 | |
Brand impersonation: DocuSign | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c | |
Callback phishing via Intuit service abuse | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Corporate Services Impersonation Phishing | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
EML attachment with credential theft language (unknown sender) | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
ClickFunnels link infrastructure abuse | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Link: Multistage Landing - Ludus Presentation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311 | |
Brand Impersonation: Meta and Subsidiaries | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-meta-and-subsidiaries-e38f1e3b | |
Brand impersonation: Amazon with suspicious attachment | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Salesforce Infrastructure Abuse | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70 | |
Link: Display Text Matches Subject Line | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0 | |
Brand impersonation: Microsoft with low reputation links | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Credential phishing: Engaging language and other indicators (untrusted sender) | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
Brand Impersonation: Microsoft Teams Invitation | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
HR Impersonation via E-sign Agreement Comment | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f | |
Brand Impersonation: Mailchimp | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-mailchimp-48b454c7 | |
Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address | 23d ago Apr 30th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-adobe-sign-notification-from-an-unsolicited-reply-to-address-d00893ba |