Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: HTML smuggling with high entropy and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288 | |
Attachment: HTML smuggling with raw array buffer | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-raw-array-buffer-a0d5c3dc | |
Attachment: HTML smuggling with RC4 decryption | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with ROT13 | @Kyle_Parrish_ | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Attachment: HTML smuggling with setTimeout | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML with hidden body | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781 | |
Attachment: HTML with JavaScript functions for HTTP requests | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd | |
Attachment: ICS file with non-Gregorian calendar scale | Sublime Security | 4mo ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-ics-file-with-non-gregorian-calendar-scale-9315bbf5 | |
Attachment: Invoice and W-9 PDFs with suspicious creators | Sublime Security | 1mo ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32 | |
Attachment: Legal themed message or PDF with suspicious indicators | Sublime Security | 1mo ago Feb 5th, 2026 | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: Link to Doubleclick.net open redirect | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: LNK with embedded content | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a | |
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0 | |
Attachment: Malicious OneNote commands | @Kyle_Parrish_ | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb | |
Attachment: Microsoft 365 credential phishing | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: Office document with VSTO add-in | @vector_sec | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: OLE external relationship containing file scheme link to executable filetype | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4 | |
Attachment: OLE external relationship containing file scheme link to IP address | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c | |
Attachment: PDF with a suspicious string and single URL | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/attachment-pdf-with-a-suspicious-string-and-single-url-3bdbb7ad | |
Attachment: PDF with link to DMG file download | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with Microsoft Purview message impersonation | Sublime Security | 3mo ago Nov 10th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964 | |
Attachment: PDF with password in filename matching body text | Sublime Security | 19d ago Feb 19th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-password-in-filename-matching-body-text-2c9c3b24 | |
Attachment: PDF with personal Microsoft OneNote URL | Sublime Security | 3mo ago Dec 4th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-personal-microsoft-onenote-url-0675bbc5 | |
Attachment: PDF with suspicious link and action-oriented language | Sublime Security | 4d ago Mar 6th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-link-and-action-oriented-language-816d33a0 | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 2y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: Self-sender PDF with minimal content and view prompt | Sublime Security | 26d ago Feb 12th, 2026 | /feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c | |
Attachment: Suspicious employee policy update document lure | Sublime Security | 2mo ago Dec 26th, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment: Suspicious PDF created with headless browser | Sublime Security | 5mo ago Sep 17th, 2025 | /feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7 | |
Attachment: SVG file execution | Sublime Security | 7mo ago Aug 8th, 2025 | /feeds/core/detection-rules/attachment-svg-file-execution-084b0cde | |
Attachment: USDA bid invitation impersonation | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
Attachment: Web files with suspicious comments | Sublime Security | 7mo ago Aug 8th, 2025 | /feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17 | |
BEC: Employee impersonation with subject manipulation | Sublime Security | 1mo ago Jan 16th, 2026 | /feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b | |
BEC/Fraud: Generic scam attempt to undisclosed recipients | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-recipients-5dac401f | |
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151 | |
BEC/Fraud: Penpal scam | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-penpal-scam-a4bdfa17 | |
BEC/Fraud: Romance scam | Sublime Security | 3h ago Mar 9th, 2026 | /feeds/core/detection-rules/becfraud-romance-scam-0243cdaa | |
BEC/Fraud: Scam lure with freemail pivot | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-scam-lure-with-freemail-pivot-898c769f | |
BEC/Fraud: Student loan callback phishing | Sublime Security | 6mo ago Sep 5th, 2025 | /feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3 | |
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
BEC with unusual reply-to or return-path mismatch | Sublime Security | 7d ago Mar 3rd, 2026 | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Benefits enrollment impersonation | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8 | |
Body: Embedded email headers indicative of thread hijacking/abuse | Sublime Security | 3mo ago Dec 1st, 2025 | /feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb | |
Brand impersonation: AARP | Sublime Security | 3mo ago Dec 1st, 2025 | /feeds/core/detection-rules/brand-impersonation-aarp-561a7f87 | |
Brand impersonation: Adobe Sign with suspicious indicators | Sublime Security | 2mo ago Jan 8th, 2026 | /feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a | |
Brand impersonation: Adobe with suspicious language and link | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/brand-impersonation-adobe-with-suspicious-language-and-link-32cc8bf1 | |
Brand impersonation: AliExpress | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8 | |
Brand impersonation: Amazon Web Services (AWS) | Sublime Security | 5mo ago Oct 10th, 2025 | /feeds/core/detection-rules/brand-impersonation-amazon-web-services-aws-31de94e0 |