Detection Rules


Detection rules are used for identifying phishing attacks, data loss prevention (DLP), and policy enforcement.

You can view some of the open-source detection rules available for use today in the Sublime rules Github repo.

Here is a non-exhaustive list of some of the categories of phishing attacks and techniques that can be detected today:

  • Executive impersonation
  • Brand impersonation
  • Vendor impersonation
  • Sextortion
  • Homoglyph and lookalike domains
  • Gift card scams
  • Bitcoin scams
  • Free file hosting services
  • Free subdomains
  • Spoofed messages
  • URL shorteners
  • Suspicious Office 365 app authorization requests
  • COVID-19 scams

Get started

Create your first detection rule by visiting Rules > Detection Rules and clicking "New rule".

You can also create and share detection rules in the MQL Playground.