Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: HTML smuggling with setTimeout | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML smuggling with unescape | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-unescape-0b0fed36 | |
Attachment: HTML with obfuscation and recipient's email in JavaScript strings | Sublime Security | 4mo ago Sep 25th, 2025 | /feeds/core/detection-rules/attachment-html-with-obfuscation-and-recipients-email-in-javascript-strings-1aff486b | |
Attachment: JavaScript file with suspicious base64-encoded executable | Sublime Security | 2y ago Apr 1st, 2024 | /feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3 | |
Attachment: LNK file | @ajpc500 | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-lnk-file-44532abe | |
Attachment: Macro files containing MHT content | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b | |
Attachment: Malicious OneNote commands | @Kyle_Parrish_ | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb | |
Attachment: MSI installer file | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9 | |
Attachment: Office document loads remote document template | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-loads-remote-document-template-d9601104 | |
Attachment: Office document with VSTO add-in | @vector_sec | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: Office file with suspicious function calls or downloaded file path | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969 | |
Attachment: OLE external relationship containing file scheme link to executable filetype | Sublime Security | 2mo ago Nov 24th, 2025 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4 | |
Attachment: OLE external relationship containing file scheme link to IP address | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF with link to DMG file download | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PowerShell content | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-powershell-content-c12566db | |
Attachment: RDP connection file | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-rdp-connection-file-2409a422 | |
Attachment: RTF file with suspicious link | Sublime Security | 6mo ago Jul 23rd, 2025 | /feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa | |
Attachment soliciting user to enable macros | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515 | |
Attachment: SVG file execution | Sublime Security | 5mo ago Aug 8th, 2025 | /feeds/core/detection-rules/attachment-svg-file-execution-084b0cde | |
Attachment: Uncommon compressed file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-uncommon-compressed-file-0c6fba7a | |
Attachment: WinRAR CVE-2025-8088 exploitation | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b | |
Attachment with auto-executing macro (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3 | |
Attachment with auto-opening VBA macro (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53 | |
Attachment with encrypted zip (unsolicited) | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae | |
Attachment with macro calling executable | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197 | |
Attachment with unscannable encrypted zip (unsolicited) | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a | |
Attachment with VBA macros from employee impersonation (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123 | |
HTML smuggling containing recipient email address | Sublime Security | 2mo ago Nov 4th, 2025 | /feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f | |
Link to auto-downloaded disk image in encrypted zip | @ajpc500 | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1 | |
Link to auto-downloaded DMG in archive | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-archive-dc04cdd8 | |
Link to auto-downloaded DMG in encrypted zip | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3 | |
Link to auto-download of a suspicious file type (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152 | |
MalwareBazaar: Malicious attachment hash in archive (trusted reporters) | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-in-archive-trusted-reporters-9d734281 | |
Malware: Pikabot delivery via URL auto-download | Sublime Security | 2y ago Apr 25th, 2024 | /feeds/core/detection-rules/malware-pikabot-delivery-via-url-auto-download-f4be4572 | |
Non-RFC compliant calendar files from unsolicited sender | Sublime Security | 3mo ago Oct 1st, 2025 | /feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100 | |
QR code to auto-download of a suspicious file type (unsolicited) | Sublime Security | 3mo ago Oct 17th, 2025 | /feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2 |