Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: Whois
Whois analysis retrieves and examines domain registration information from global Whois databases to spot suspicious or recently created domains that could indicate phishing attempts. This method helps you understand key domain details like the age, ownership, and registration patterns, which can be red flags for malicious activity.
Whois analysis can detect:
- Newly registered domains that might have been set up just for phishing campaigns
- Domains with suspicious registration patterns or incomplete Whois records
- Mismatched registration details that don’t align with the claimed organization
- Domains registered via privacy services to conceal true ownership
- Domains with upcoming expiration dates, which could indicate temporary use
For example, established organizations often use domains that have been registered for long periods. So, if you get an email from a financial institution using a domain that was registered only a few days ago, that’s a huge red flag.
Attack Types (5):
Tactics & Techniques (12):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Spam: Fake photo share | 4d ago Nov 8th, 2025 | Sublime Security | /feeds/core/detection-rules/spam-fake-photo-share-eb086f7d | |
Brand impersonation: SharePoint PDF attachment with credential theft language | 5d ago Nov 7th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa | |
Vendor impersonation: Thread hijacking with typosquat domain | 8d ago Nov 4th, 2025 | Sublime Security | /feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed | |
Spam/fraud: Predatory journal/research paper request | 9d ago Nov 3rd, 2025 | Sublime Security | /feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b | |
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old | 26d ago Oct 17th, 2025 | Sublime Security | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Service abuse: AppSheet infrastructure with suspicious indicators | 1mo ago Oct 6th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-appsheet-infrastructure-with-suspicious-indicators-5937646a | |
Brand impersonation: Stripe notification | 1mo ago Sep 26th, 2025 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03 | |
Attachment: Calendar invite from recently registered domain | 1mo ago Sep 25th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-calendar-invite-from-recently-registered-domain-d801521c | |
Link: Romance/Sexual Language With Suspicious Link | 2mo ago Aug 22nd, 2025 | Sublime Security | /feeds/core/detection-rules/link-romancesexual-language-with-suspicious-link-d5694cae | |
Link: Google Firebase dynamic link that redirects to new domain (<7 days old) | 3mo ago Aug 5th, 2025 | @ajpc500 | /feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37 | |
Link: Multistage landing - Abused Google Drive | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4 | |
Link: Multistage landing - Abused Docusign | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645 | |
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
Generic service abuse from newly registered domain | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5 | |
Suspected lookalike domain with suspicious language | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0 | |
Service abuse: Google Drive share from new reply-to domain | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367 | |
Attachment: DocuSign impersonation via PDF linking to new domain | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282 | |
Newly registered sender or reply-to domain with newly registered linked domain | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/newly-registered-sender-or-reply-to-domain-with-newly-registered-linked-domain-e5b6a81f | |
Vendor compromise: GovDelivery message with suspicious link | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172 | |
Link: Multistage landing - Abused Adobe frame.io | 3mo ago Aug 5th, 2025 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5 |
Page 1 of 2