Detection Method: Whois

Whois analysis retrieves and examines domain registration information from global Whois databases to spot suspicious or recently created domains that could indicate phishing attempts. This method helps you understand key domain details like the age, ownership, and registration patterns, which can be red flags for malicious activity.
Whois analysis can detect:
  • Newly registered domains that might have been set up just for phishing campaigns
  • Domains with suspicious registration patterns or incomplete Whois records
  • Mismatched registration details that don’t align with the claimed organization
  • Domains registered via privacy services to conceal true ownership
  • Domains with upcoming expiration dates, which could indicate temporary use
For example, established organizations often use domains that have been registered for long periods. So, if you get an email from a financial institution using a domain that was registered only a few days ago, that’s a huge red flag.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Service abuse: Microsoft Forms Pro with suspicious links or QR codes
2d ago
Jul 14th, 2026
Sublime Security
Spam: Fake photo share
15d ago
Jul 1st, 2026
Sublime Security
BEC: Financial fraud from newly registered sender domain
21d ago
Jun 25th, 2026
Sublime Security
Brand Impersonation: OpenAI with ChatGPT Ads lure
22d ago
Jun 24th, 2026
Sublime Security
Service abuse: Google Firebase sender address with suspicious content
28d ago
Jun 18th, 2026
Sublime Security
Link: Romance/Sexual Language With Suspicious Link
29d ago
Jun 17th, 2026
Sublime Security
Link: Observed URL pattern with specific domain registrar
1mo ago
Jun 12th, 2026
Sublime Security
Suspicious newly registered reply-to domain with engaging financial or urgent language
2mo ago
May 6th, 2026
Sublime Security
Service abuse: Zoom with newly registered reply-to domain
2mo ago
May 4th, 2026
Sublime Security
Impersonation: Suspected supplier impersonation with suspicious content
2mo ago
May 4th, 2026
Sublime Security
Brand impersonation: SharePoint PDF attachment with credential theft language
2mo ago
May 4th, 2026
Sublime Security
Attachment: Calendar invite from recently registered domain
2mo ago
Apr 28th, 2026
Sublime Security
Attachment: ICS file with links to newly registered domains
2mo ago
Apr 20th, 2026
Sublime Security
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
3mo ago
Apr 17th, 2026
Sublime Security
Link: Tax document lure Portuguese/Spanish with suspicious domains
3mo ago
Apr 14th, 2026
Sublime Security
Service abuse: GitHub notification with excessive mentions and suspicious links
3mo ago
Apr 7th, 2026
Sublime Security
VIP impersonation: Fake thread with display name match, email mismatch
3mo ago
Apr 3rd, 2026
Sublime Security
Attachment: Legal themed message or PDF with suspicious indicators
3mo ago
Apr 3rd, 2026
Sublime Security
Link: Financial account issue with suspicious indicators
3mo ago
Mar 24th, 2026
Sublime Security
Link: Commonly Abused Web Service redirecting to ZIP file
4mo ago
Mar 10th, 2026
Sublime Security