Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD | Sublime Security | 2mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373 | |
Attachment: Adobe image lure in body or attachment with suspicious link | Sublime Security | 18d ago Jan 5th, 2026 | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
Attachment: Base64 encoded bash command in filename | @vector_sec | 4mo ago Sep 5th, 2025 | /feeds/core/detection-rules/attachment-base64-encoded-bash-command-in-filename-819f69c8 | |
Attachment: Calendar file with invisible Unicode characters | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-calendar-file-with-invisible-unicode-characters-050fceac | |
Attachment: Calendar invite with suspicious link leading to an open redirect | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-calendar-invite-with-suspicious-link-leading-to-an-open-redirect-5d6294c7 | |
Attachment: Callback phishing solicitation via image file | @vector_sec | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback phishing solicitation via text-based file | Sublime Security | 4mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-ca39c83a | |
Attachment: Credit card application with WhatsApp contact | Sublime Security | 2mo ago Nov 20th, 2025 | /feeds/core/detection-rules/attachment-credit-card-application-with-whatsapp-contact-95b08315 | |
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f | |
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-cve-2023-21716-microsoft-office-remote-code-execution-vulnerability-23714cca | |
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability | Sublime Security | 10mo ago Mar 21st, 2025 | /feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b | |
Attachment: Decoy PDF author (Julie P.) | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a | |
Attachment: DocX embedded binary | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241 | |
Attachment: Double base64-encoded zip file in HTML smuggling attachment | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b | |
Attachment: Dropbox image lure with no Dropbox domains in links | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d | |
Attachment: EML file contains HTML attachment with login portal indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158 | |
Attachment: EML file with HTML attachment (unsolicited) | Sublime Security | 5mo ago Aug 20th, 2025 | /feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191 | |
Attachment: EML with link to credential phishing page | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: EML with SharePoint files shared from GoDaddy federated tenants | Sublime Security | 4mo ago Sep 23rd, 2025 | /feeds/core/detection-rules/attachment-eml-with-sharepoint-files-shared-from-godaddy-federated-tenants-02c1f590 | |
Attachment: EML with suspicious indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d | |
Attachment: Emotet heavily padded doc in zip file | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-emotet-heavily-padded-doc-in-zip-file-9a5332ed | |
Attachment: Encrypted PDF with credential theft body | Sublime Security | 1mo ago Dec 1st, 2025 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Encrypted zip file with payment-related lure | Sublime Security | 1mo ago Nov 25th, 2025 | /feeds/core/detection-rules/attachment-encrypted-zip-file-with-payment-related-lure-5d1eb7af | |
Attachment: Fake scan-to-email | Sublime Security | 4mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake secure message and suspicious indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94 | |
Attachment: Fake voicemail via PDF | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fictitious invoice using LinkedIn's address | Sublime Security | 4mo ago Sep 3rd, 2025 | /feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f | |
Attachment: HTML attachment with Javascript location | @vector_sec | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-attachment-with-javascript-location-e0611295 | |
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts | Sublime Security | 2mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a | |
Attachment: HTML file with reference to recipient and suspicious patterns | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d | |
Attachment: HTML smuggling 'body onload' linking to suspicious destination | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed | |
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d | |
Attachment: HTML smuggling Microsoft sign in | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385 | |
Attachment: HTML smuggling with atob and high entropy | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11 | |
Attachment: HTML smuggling with auto-downloaded file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-auto-downloaded-file-abf724f5 | |
Attachment: HTML smuggling with base64 encoded JavaScript function | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-javascript-function-4e8a12ec | |
Attachment: HTML smuggling with base64 encoded ZIP file | Sublime Security | 2mo ago Nov 20th, 2025 | /feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-zip-file-47e388de | |
Attachment: HTML smuggling with concatenation obfuscation | @vector_sec | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-concatenation-obfuscation-108ab346 | |
Attachment: HTML smuggling with decimal encoding | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4 | |
Attachment: HTML smuggling with embedded base64-encoded ISO | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-iso-294ecd2d | |
Attachment: HTML smuggling with embedded base64 streamed file download | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-streamed-file-download-e04de4e2 | |
Attachment: HTML smuggling with eval and atob | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2 | |
Attachment: HTML smuggling with excessive line break obfuscation | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440 | |
Attachment: HTML smuggling with fromCharCode and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-fromcharcode-and-other-signals-a68ce0ef | |
Attachment: HTML smuggling with hex strings | @ajpc500 | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-hex-strings-b4208ed6 | |
Attachment: HTML smuggling with high entropy and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288 | |
Attachment: HTML smuggling with raw array buffer | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-raw-array-buffer-a0d5c3dc | |
Attachment: HTML smuggling with RC4 decryption | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with ROT13 | @Kyle_Parrish_ | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Attachment: HTML smuggling with setTimeout | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 |