- Sender analysis
Detection Method: Sender analysis
Sender analysis helps you assess whether an email is coming from a legitimate sender. By combining machine learning and rules-based logic, this method evaluates sender profiles, looking at things like authentication results, past behavior, and patterns from previous messages.
Sender analysis can help you detect:
- Impersonation attempts using fake email addresses or domains
- Suspicious senders with authentication issues (e.g., SPF, DKIM, DMARC failures)
- Unusual behavior based on historical patterns, like frequent urgent requests
- Senders linked to known phishing or malware campaigns
- Changes in sender behavior that could indicate a compromised account
For example, an attacker might try to impersonate a trusted vendor or executive. The email address or domain might look real, but sender analysis can catch issues like failed authentication checks or past suspicious activity, helping you spot these threats before they do damage.
Blog Posts
Credential phishing Charles Schwab account holders with 2FA bypass
Hiding a $50,000 BEC financial fraud in a fake email thread
Callback phishing via invoice abuse and distribution list relays
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns
Detecting malicious AnonymousFox email messages sent from compromised sites
Talking phish over turkey
Hidden credential phishing within EML attachments
Living Off the Land: Credential Phishing via Docusign abuse
Living Off the Land: Callback Phishing via Docusign comment
Adversarial ML: Extortion via LLM Manipulation Tactics
Attack Types (3):
Tactics & Techniques (10):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Reconnaissance: Large unknown recipient list | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/reconnaissance-large-unknown-recipient-list-24783a28 | |
Reconnaissance: All recipients cc/bcc'd or undisclosed | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/reconnaissance-all-recipients-ccbccd-or-undisclosed-420f60d3 | |
Link: Direct link to Zoom Docs from Non-Zoom Sender | 1d ago May 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db | |
Brand impersonation: DocuSign | 2d ago May 21st, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c | |
Canva Design With Suspicious Embedded Link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22 | |
Corporate Services Impersonation Phishing | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
Attachment: Adobe image lure in body or attachment with suspicious link | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
EML attachment with credential theft language (unknown sender) | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
ClickFunnels link infrastructure abuse | 7d ago May 16th, 2025 | Sublime Security | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Brand impersonation: Microsoft | 8d ago May 15th, 2025 | @amitchell516 | /feeds/core/detection-rules/brand-impersonation-microsoft-6e2f04e6 | |
Link: Multistage Landing - Ludus Presentation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311 | |
Link: Scribd Fullscreen Link From Suspicious Sender | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/link-scribd-fullscreen-link-from-suspicious-sender-9e9bc972 | |
Brand Impersonation: Meta and Subsidiaries | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-meta-and-subsidiaries-e38f1e3b | |
Fake email quarantine notification | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/fake-email-quarantine-notification-73f26a3d | |
Spam: Attendee List solicitation | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/spam-attendee-list-solicitation-69715b62 | |
Brand impersonation: Amazon with suspicious attachment | 9d ago May 14th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Link: Figma Design Deck With Credential Phishing Language | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924 | |
Brand impersonation: Microsoft with embedded logo and credential theft language | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-embedded-logo-and-credential-theft-language-3ee9ef3d | |
Credential phishing content and link (untrusted sender) | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/credential-phishing-content-and-link-untrusted-sender-f0c95bb7 | |
Brand impersonation: Microsoft with low reputation links | 16d ago May 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 |