Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: Whois
Whois analysis retrieves and examines domain registration information from global Whois databases to spot suspicious or recently created domains that could indicate phishing attempts. This method helps you understand key domain details like the age, ownership, and registration patterns, which can be red flags for malicious activity.
Whois analysis can detect:
- Newly registered domains that might have been set up just for phishing campaigns
- Domains with suspicious registration patterns or incomplete Whois records
- Mismatched registration details that don’t align with the claimed organization
- Domains registered via privacy services to conceal true ownership
- Domains with upcoming expiration dates, which could indicate temporary use
For example, established organizations often use domains that have been registered for long periods. So, if you get an email from a financial institution using a domain that was registered only a few days ago, that’s a huge red flag.
Tactics & Techniques (13):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Vendor impersonation: Thread hijacking with typosquat domain | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed | |
Fraudulent order confirmation/shipping notification from Chinese sender domain | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/fraudulent-order-confirmationshipping-notification-from-chinese-sender-domain-4392a14e | |
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
Attachment: DocuSign impersonation via PDF linking to new domain | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282 | |
Suspicious newly registered reply-to domain with engaging financial or urgent language | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/suspicious-newly-registered-reply-to-domain-with-engaging-financial-or-urgent-language-db4d9bb3 | |
Brand impersonation: Microsoft fake sign-in alert | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-microsoft-fake-sign-in-alert-3f4c9e7a | |
Brand impersonation: Silicon Valley Bank | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-silicon-valley-bank-a01f61d9 | |
Link: Google Firebase dynamic link that redirects to new domain (<7 days old) | 11d ago Jan 12th, 2026 | @ajpc500 | /feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37 | |
Suspected lookalike domain with suspicious language | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0 | |
VIP impersonation: Fake thread with display name match, email mismatch | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28 | |
Service abuse: Random Google Firebase sender address with suspicious content | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Attachment: Legal themed message or PDF with suspicious indicators | 11d ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Link: Cryptocurrency fraud with suspicious links | 1mo ago Dec 1st, 2025 | Sublime Security | /feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce | |
Service abuse: Google Drive share from new reply-to domain | 2mo ago Nov 13th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367 | |
Spam: Fake photo share | 2mo ago Nov 8th, 2025 | Sublime Security | /feeds/core/detection-rules/spam-fake-photo-share-eb086f7d | |
Brand impersonation: SharePoint PDF attachment with credential theft language | 2mo ago Nov 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa | |
Spam/fraud: Predatory journal/research paper request | 2mo ago Nov 3rd, 2025 | Sublime Security | /feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b | |
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old | 3mo ago Oct 17th, 2025 | Sublime Security | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Service abuse: AppSheet infrastructure with suspicious indicators | 3mo ago Oct 6th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-appsheet-infrastructure-with-suspicious-indicators-5937646a | |
Brand impersonation: Stripe notification | 3mo ago Sep 26th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03 |
Page 1 of 2