Detection Method: Sender analysis

Sender analysis helps you assess whether an email is coming from a legitimate sender. By combining machine learning and rules-based logic, this method evaluates sender profiles, looking at things like authentication results, past behavior, and patterns from previous messages.
Sender analysis can help you detect:
  • Impersonation attempts using fake email addresses or domains
  • Suspicious senders with authentication issues (e.g., SPF, DKIM, DMARC failures)
  • Unusual behavior based on historical patterns, like frequent urgent requests
  • Senders linked to known phishing or malware campaigns
  • Changes in sender behavior that could indicate a compromised account
For example, an attacker might try to impersonate a trusted vendor or executive. The email address or domain might look real, but sender analysis can catch issues like failed authentication checks or past suspicious activity, helping you spot these threats before they do damage.
Blog Posts
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Credential phishing Charles Schwab account holders with 2FA bypass · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Hidden credential phishing within EML attachments · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Living Off the Land: Callback Phishing via Docusign comment · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Adversarial ML: Extortion via LLM Manipulation Tactics · Blog · Sublime Security
Attack Types (7):
Credential Phishing
Malware/Ransomware
Callback Phishing
BEC/Fraud
Spam
Reconnaissance
Extortion
Tactics & Techniques (24):
PDF
Social engineering
Evasion
Impersonation: Brand
Open redirect
Out of band pivot
Spoofing
Impersonation: Employee
Free email provider
Image as content
Free file host
Free subdomain host
Lookalike domain
Impersonation: VIP
Scripting
QR code
Encryption
IPFS
HTML smuggling
Exploit
LNK
OneNote
Macros
Punycode
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Self-sender PDF with minimal content and view prompt
5h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
PDF
Social engineering
Evasion
Content analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c
Brand impersonation: TikTok
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7
Open redirect: embluemail.com
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Open redirect
Sender analysis
URL analysis
/feeds/core/detection-rules/open-redirect-embluemailcom-48c5abd3
Brand impersonation: Dropbox
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
File analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Link: PDF filename impersonation with credential theft language
6h ago
Feb 12th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
PDF
Content analysis
Natural Language Understanding
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513
Callback Phishing via Zoom comment
1d ago
Feb 11th, 2026
Sublime Security
Callback Phishing
Out of band pivot
Social engineering
Impersonation: Brand
Computer Vision
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/callback-phishing-via-zoom-comment-8ec30881
PayPal invoice abuse
1d ago
Feb 11th, 2026
Sublime Security
BEC/Fraud
Callback Phishing
Evasion
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4
Brand impersonation: Navan
3d ago
Feb 9th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Spoofing
Sender analysis
Natural Language Understanding
URL analysis
Content analysis
/feeds/core/detection-rules/brand-impersonation-navan-3573e9a8
Reconnaissance: Empty subject with mismatched reply-to from new sender
6d ago
Feb 6th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Evasion
Social engineering
Spoofing
Header analysis
Sender analysis
/feeds/core/detection-rules/reconnaissance-empty-subject-with-mismatched-reply-to-from-new-sender-12f4bd45
Brand Impersonation: Disney
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Natural Language Understanding
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-disney-bf90b8fb
New link domain (<=10d) from untrusted sender
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6
Service abuse: Apple TestFlight with suspicious developer reference
6d ago
Feb 6th, 2026
Sublime Security
Spam
Social engineering
Content analysis
HTML analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0
Canva infrastructure abuse
6d ago
Feb 6th, 2026
Sublime Security
BEC/Fraud
Callback Phishing
Social engineering
Impersonation: Brand
Impersonation: Employee
Free email provider
Natural Language Understanding
Sender analysis
Content analysis
/feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c
Brand impersonation: Microsoft Planner with suspicious link
6d ago
Feb 6th, 2026
Sublime Security
Credential Phishing
Evasion
Image as content
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Brand impersonation: Fake Fax
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Credential phishing: Generic document sharing
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Social engineering
Evasion
Impersonation: Employee
Content analysis
Natural Language Understanding
URL analysis
Sender analysis
/feeds/core/detection-rules/credential-phishing-generic-document-sharing-9f0e1d2c
Reconnaissance: All recipients cc/bcc'd or undisclosed
7d ago
Feb 5th, 2026
Sublime Security
Reconnaissance
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/reconnaissance-all-recipients-ccbccd-or-undisclosed-420f60d3
Brand impersonation: DocuSign
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Spoofing
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Brand impersonation: Zoom via lookalike domain
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Free email provider
Social engineering
URL analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-zoom-via-lookalike-domain-b9d5e4b5
Brand impersonation: Meta and subsidiaries
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-meta-and-subsidiaries-e38f1e3b
Page 1 of 25