This rule identifies and flags suspicious email messages processed by the Sublime service. It encompasses a range of criteria that classify messages as potentially risky, including language patterns typical of phishing attacks and email characteristics that signal unusual sender behavior. The rules define specific markers such as engagement language from untrusted senders, suspicious attachment types, and deficiencies in email header authenticity. By monitoring Sublime.MessageEvent logs, this rule will trigger an alert when at least one message meets the stipulated flagged criteria within a defined timeframe. This proactive approach aims to mitigate risks associated with credential theft and social engineering attacks through careful scrutiny of messaging patterns.