• Whois

Detection Method: Whois

Whois analysis retrieves and examines domain registration information from global Whois databases to spot suspicious or recently created domains that could indicate phishing attempts. This method helps you understand key domain details like the age, ownership, and registration patterns, which can be red flags for malicious activity.
Whois analysis can detect:
  • Newly registered domains that might have been set up just for phishing campaigns
  • Domains with suspicious registration patterns or incomplete Whois records
  • Mismatched registration details that don’t align with the claimed organization
  • Domains registered via privacy services to conceal true ownership
  • Domains with upcoming expiration dates, which could indicate temporary use
For example, established organizations often use domains that have been registered for long periods. So, if you get an email from a financial institution using a domain that was registered only a few days ago, that’s a huge red flag.
Blog Post
Living Off the Land: Credential Phishing via Docusign abuse
Living Off the Land: Credential Phishing via Docusign abuse
Sublime Security Attack Spotlight: Credential phishing attempt using Docusign service to deliver multi-stage malicious links via fake PDF.
Attack Types (5):
Credential Phishing
Malware/Ransomware
Spam
BEC/Fraud
Callback Phishing
Tactics & Techniques (11):
Free subdomain host
IPFS
Social engineering
Evasion
Impersonation: Brand
Free file host
Free email provider
Lookalike domain
Impersonation: VIP
Spoofing
PDF
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Vendor Compromise: GovDelivery Message With Suspicious Link
14d ago
Jun 4th, 2025 UTC
Sublime Security
Credential Phishing
Malware/Ransomware
Free subdomain host
IPFS
Social engineering
Evasion
Impersonation: Brand
Natural Language Understanding
URL analysis
Whois
/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Link: Multistage Landing - Published Google Doc
1mo ago
May 14th, 2025 UTC
Sublime Security
Credential Phishing
Free file host
Social engineering
Natural Language Understanding
URL analysis
Whois
/feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8
Link: Multistage Landing - Abused Google Drive
1mo ago
May 5th, 2025 UTC
Sublime Security
Credential Phishing
Evasion
Free email provider
Free file host
Content analysis
Sender analysis
URL analysis
Whois
HTML analysis
/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Spam: Fake photo share
2mo ago
Apr 16th, 2025 UTC
Sublime Security
Spam
Evasion
Social engineering
Content analysis
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/spam-fake-photo-share-eb086f7d
Generic Service Abuse From Newly Registered Domain
2mo ago
Apr 15th, 2025 UTC
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Evasion
Social engineering
Header analysis
Sender analysis
Whois
/feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5
Link: Multistage Landing - Abused Docusign
2mo ago
Apr 11th, 2025 UTC
Sublime Security
Credential Phishing
Evasion
Free subdomain host
Free file host
Content analysis
Sender analysis
URL analysis
Whois
HTML analysis
/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Suspicious newly registered reply-to domain with engaging financial or urgent language
2mo ago
Apr 11th, 2025 UTC
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/suspicious-newly-registered-reply-to-domain-with-engaging-financial-or-urgent-language-db4d9bb3
BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns
3mo ago
Mar 10th, 2025 UTC
Sublime Security
BEC/Fraud
Callback Phishing
Spam
Impersonation: Brand
Social engineering
Free email provider
Content analysis
Header analysis
Sender analysis
Whois
/feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0
Recruitee Infrastructure Abuse
3mo ago
Mar 3rd, 2025 UTC
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/recruitee-infrastructure-abuse-31cab83d
Link: Multistage Landing - Abused Adobe frame.io
3mo ago
Mar 3rd, 2025 UTC
Sublime Security
Credential Phishing
Evasion
Free file host
Content analysis
Whois
Computer Vision
URL analysis
HTML analysis
/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Impersonation: Suspected supplier impersonation with suspicious content
4mo ago
Feb 3rd, 2025 UTC
Sublime Security
BEC/Fraud
Evasion
Free email provider
Lookalike domain
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce
Service Abuse: Google Drive Share From New Reply-To Domain
5mo ago
Jan 9th, 2025 UTC
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Free email provider
Social engineering
Free file host
Header analysis
Sender analysis
Whois
/feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367
Suspected Lookalike domain with suspicious language
5mo ago
Dec 24th, 2024 UTC
Sublime Security
BEC/Fraud
Evasion
Lookalike domain
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
Whois
/feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0
Link: Abused Adobe Express
6mo ago
Dec 16th, 2024 UTC
Sublime Security
Credential Phishing
Evasion
Free subdomain host
Free file host
Content analysis
Sender analysis
URL analysis
Whois
HTML analysis
/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
New sender domain (<=10d) from untrusted sender
7mo ago
Nov 20th, 2024 UTC
Sublime Security
Sender analysis
Whois
/feeds/core/detection-rules/new-sender-domain-less10d-from-untrusted-sender-d87fa543
Brand Impersonation: Stripe Notification
9mo ago
Aug 27th, 2024 UTC
Sublime Security
Credential Phishing
Evasion
Impersonation: Brand
Social engineering
Content analysis
Header analysis
URL analysis
Whois
/feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03
VIP impersonation: Fake thread with display name match, email mismatch
10mo ago
Jul 29th, 2024 UTC
Sublime Security
BEC/Fraud
Evasion
Impersonation: VIP
Social engineering
Spoofing
Content analysis
Header analysis
Sender analysis
Whois
/feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28
Brand impersonation: Silicon Valley Bank
1y ago
Apr 25th, 2024 UTC
Sublime Security
Credential Phishing
Impersonation: Brand
Lookalike domain
Social engineering
Sender analysis
Whois
/feeds/core/detection-rules/brand-impersonation-silicon-valley-bank-a01f61d9
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d
1y ago
Apr 25th, 2024 UTC
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
Social engineering
Header analysis
Sender analysis
URL analysis
File analysis
Computer Vision
Whois
/feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282
Spam: New link domain (<=10d) and emojis
1y ago
Apr 25th, 2024 UTC
Sublime Security
Spam
Free email provider
Content analysis
Sender analysis
URL analysis
Whois
/feeds/core/detection-rules/spam-new-link-domain-less10d-and-emojis-33677993