Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: Whois
Whois analysis retrieves and examines domain registration information from global Whois databases to spot suspicious or recently created domains that could indicate phishing attempts. This method helps you understand key domain details like the age, ownership, and registration patterns, which can be red flags for malicious activity.
Whois analysis can detect:
- Newly registered domains that might have been set up just for phishing campaigns
- Domains with suspicious registration patterns or incomplete Whois records
- Mismatched registration details that don’t align with the claimed organization
- Domains registered via privacy services to conceal true ownership
- Domains with upcoming expiration dates, which could indicate temporary use
For example, established organizations often use domains that have been registered for long periods. So, if you get an email from a financial institution using a domain that was registered only a few days ago, that’s a huge red flag.
Tactics & Techniques (13):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Fraudulent order confirmation/shipping notification from Chinese sender domain | 30d ago Dec 3rd, 2025 | Sublime Security | /feeds/core/detection-rules/fraudulent-order-confirmationshipping-notification-from-chinese-sender-domain-4392a14e | |
Attachment: Legal themed message or PDF with suspicious indicators | 1mo ago Dec 1st, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Link: Cryptocurrency fraud with suspicious links | 1mo ago Dec 1st, 2025 | Sublime Security | /feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce | |
Service abuse: Random Google Firebase sender address with suspicious content | 1mo ago Nov 26th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Service abuse: Google Drive share from new reply-to domain | 1mo ago Nov 13th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367 | |
Spam: Fake photo share | 1mo ago Nov 8th, 2025 | Sublime Security | /feeds/core/detection-rules/spam-fake-photo-share-eb086f7d | |
Brand impersonation: SharePoint PDF attachment with credential theft language | 1mo ago Nov 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa | |
Vendor impersonation: Thread hijacking with typosquat domain | 1mo ago Nov 4th, 2025 | Sublime Security | /feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed | |
Spam/fraud: Predatory journal/research paper request | 1mo ago Nov 3rd, 2025 | Sublime Security | /feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b | |
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old | 2mo ago Oct 17th, 2025 | Sublime Security | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Service abuse: AppSheet infrastructure with suspicious indicators | 2mo ago Oct 6th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-appsheet-infrastructure-with-suspicious-indicators-5937646a | |
Brand impersonation: Stripe notification | 3mo ago Sep 26th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03 | |
Attachment: Calendar invite from recently registered domain | 3mo ago Sep 25th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-calendar-invite-from-recently-registered-domain-d801521c | |
Link: Romance/Sexual Language With Suspicious Link | 4mo ago Aug 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-romancesexual-language-with-suspicious-link-d5694cae | |
Generic service abuse from newly registered domain | 5mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5 | |
Attachment: DocuSign impersonation via PDF linking to new domain | 5mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282 | |
Link: Multistage landing - Abused Google Drive | 5mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4 | |
Link: Multistage landing - Abused Docusign | 5mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645 | |
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns | 5mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
Link: Google Firebase dynamic link that redirects to new domain (<7 days old) | 5mo ago Aug 5th, 2025 | @ajpc500 | /feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37 |
Page 1 of 2