Detection Method: Natural Language Understanding

Natural Language Understanding (NLU) uses machine learning algorithms to analyze and interpret message content, helping systems detect subtle signs of malicious intent. Instead of just matching keywords, NLU looks at the context, tone, urgency, and intent behind the message.
NLU can help you detect:
  • Urgent language commonly used in BEC attacks impersonating executives or departments
  • Credential theft attempts disguised as legitimate service notifications
  • Extortion or blackmail tactics used in intimidation campaigns
  • Financial terms typically found in payment fraud or invoice scams
  • Deceptive job offers designed to steal sensitive information
For example, NLU can identify when an email uses urgent language ("immediate attention required") combined with financial requests ("wire transfer") and impersonation, which are common tactics in BEC attacks.
Blog Posts
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Combating GenAI Email Attacks with BERT LLM · Blog · Sublime Security
Combating GenAI Email Attacks with BERT LLM · Blog · Sublime Security
Payroll Fraud via LLM-Generated Emails · Blog · Sublime Security
Payroll Fraud via LLM-Generated Emails · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Attack Types (6):
Callback Phishing
BEC/Fraud
Credential Phishing
Spam
Malware/Ransomware
Extortion
Tactics & Techniques (20):
Out of band pivot
Social engineering
Impersonation: Employee
Evasion
Free email provider
Impersonation: Brand
Lookalike domain
Spoofing
QR code
Image as content
PDF
Macros
Free file host
Impersonation: VIP
Free subdomain host
Open redirect
Encryption
Scripting
IPFS
HTML smuggling
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Service abuse: GetAccept callback scam content
5h ago
Jan 16th, 2026
Sublime Security
Callback Phishing
Out of band pivot
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/service-abuse-getaccept-callback-scam-content-7ec2f70b
BEC: Employee impersonation with subject manipulation
6h ago
Jan 16th, 2026
Sublime Security
BEC/Fraud
Impersonation: Employee
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
1d ago
Jan 15th, 2026
Sublime Security
BEC/Fraud
Evasion
Free email provider
Content analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329
Brand impersonation: SendGrid
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Spam
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f
Vendor impersonation: Thread hijacking with typosquat domain
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Lookalike domain
Social engineering
Spoofing
Content analysis
Natural Language Understanding
Sender analysis
Whois
/feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed
Attachment: QR code link with base64-encoded recipient address
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
QR code
Image as content
Social engineering
Evasion
PDF
Macros
Computer Vision
File analysis
Natural Language Understanding
QR code analysis
Sender analysis
/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Credential phishing: Image as content, short or no body contents
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Evasion
Image as content
Computer Vision
Content analysis
File analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
/feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38
Service abuse: FlipHTML5 with attachment deception and credential theft language
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Social engineering
Free file host
Evasion
Content analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/service-abuse-fliphtml5-with-attachment-deception-and-credential-theft-language-02464799
Attachment: HTML smuggling - QR Code with suspicious links
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
QR code
Computer Vision
Header analysis
Natural Language Understanding
QR code analysis
Sender analysis
URL analysis
URL screenshot
/feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d
Business Email Compromise (BEC) attempt from untrusted sender
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-untrusted-sender-96d4c35a
Attachment: Fake secure message and suspicious indicators
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Image as content
Impersonation: Brand
Social engineering
Content analysis
File analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94
Attachment: Office file contains OLE relationship to credential phishing page
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Evasion
Social engineering
File analysis
HTML analysis
Natural Language Understanding
OLE analysis
URL analysis
/feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0
Attachment: PDF with suspicious language and redirect to suspicious file type
4d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Evasion
PDF
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
4d ago
Jan 12th, 2026
Michael Tingle
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859
Suspicious attachment with unscannable Cloudflare link
4d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Evasion
PDF
Social engineering
Impersonation: Employee
Impersonation: VIP
File analysis
URL analysis
Sender analysis
Content analysis
Header analysis
Natural Language Understanding
/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
BEC/Fraud: Generic scam attempt to undisclosed recipients
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-recipients-5dac401f
COVID-19 themed fraud with sender and reply-to mismatch or compensation award
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Free email provider
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/covid-19-themed-fraud-with-sender-and-reply-to-mismatch-or-compensation-award-a16480ef
Honorific greeting BEC attempt with sender and reply-to mismatch
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Free email provider
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/honorific-greeting-bec-attempt-with-sender-and-reply-to-mismatch-aa41b1b7
Brand impersonation: UK government Home Office
4d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Brand
Social engineering
Lookalike domain
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-uk-government-home-office-f35d846a
Callback phishing via Yammer comment
4d ago
Jan 12th, 2026
Sublime Security
Callback Phishing
Impersonation: Brand
Out of band pivot
Social engineering
Content analysis
Natural Language Understanding
Header analysis
/feeds/core/detection-rules/callback-phishing-via-yammer-comment-66650e2b
Page 1 of 10