- Natural Language Understanding
Detection Method: Natural Language Understanding
Natural Language Understanding (NLU) uses machine learning algorithms to analyze and interpret message content, helping systems detect subtle signs of malicious intent. Instead of just matching keywords, NLU looks at the context, tone, urgency, and intent behind the message.
NLU can help you detect:
- Urgent language commonly used in BEC attacks impersonating executives or departments
- Credential theft attempts disguised as legitimate service notifications
- Extortion or blackmail tactics used in intimidation campaigns
- Financial terms typically found in payment fraud or invoice scams
- Deceptive job offers designed to steal sensitive information
For example, NLU can identify when an email uses urgent language ("immediate attention required") combined with financial requests ("wire transfer") and impersonation, which are common tactics in BEC attacks.
Blog Posts
Hiding a $50,000 BEC financial fraud in a fake email thread
Callback phishing via invoice abuse and distribution list relays
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns
Hidden credential phishing within EML attachments
Adversarial ML: Extortion via LLM Manipulation Tactics
Combating GenAI Email Attacks with BERT LLM
Payroll Fraud via LLM-Generated Emails
Fake invoice used to conduct $16,800 BEC attempt
QR Code Phishing: Decoding Hidden Threats
Call Me Maybe? The Rise of Callback Phishing Emails
Attack Types (3):
Tactics & Techniques (10):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Xero Infrastructure Abuse | 4h ago May 23rd, 2025 | Sublime Security | /feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3 | |
Corporate Services Impersonation Phishing | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
Canva Design With Suspicious Embedded Link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22 | |
Link: Multistage Landing - Scribd Document | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d | |
EML attachment with credential theft language (unknown sender) | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
Brand Impersonation: Zoom | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Vendor Compromise: GovDelivery Message With Suspicious Link | 8d ago May 15th, 2025 | Sublime Security | /feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172 | |
Link: Multistage Landing - Ludus Presentation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311 | |
Link: Multistage Landing - Published Google Doc | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8 | |
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329 | |
Fake email quarantine notification | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/fake-email-quarantine-notification-73f26a3d | |
Brand impersonation: Amazon with suspicious attachment | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Salesforce Infrastructure Abuse | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70 | |
Link: Display Text Matches Subject Line | 14d ago May 9th, 2025 | Sublime Security | /feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0 | |
Link: Figma Design Deck With Credential Phishing Language | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924 | |
Brand impersonation: Microsoft with embedded logo and credential theft language | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-embedded-logo-and-credential-theft-language-3ee9ef3d | |
Brand impersonation: Microsoft with low reputation links | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Credential phishing: Engaging language and other indicators (untrusted sender) | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
HR Impersonation via E-sign Agreement Comment | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f | |
Brand Impersonation: Mailchimp | 18d ago May 5th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-mailchimp-48b454c7 |