Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Link: Microsoft impersonation using hosted png with suspicious link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-microsoft-impersonation-using-hosted-png-with-suspicious-link-07c696d4 | |
Link: Microsoft protected message with matching sender and recipient addresses | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-microsoft-protected-message-with-matching-sender-and-recipient-addresses-a5a2f75d | |
Link: Mixed case HTTPS protocol | Sublime Security | 15h ago Mar 9th, 2026 | /feeds/core/detection-rules/link-mixed-case-https-protocol-f3424a81 | |
Link: Multiple HTTP protocols in single URL | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-multiple-http-protocols-in-single-url-92f9d241 | |
Link: Multistage landing - Abused Adobe frame.io | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5 | |
Link: Multistage landing - Abused Docusign | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645 | |
Link: Multistage landing - Abused Google Drive | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4 | |
Link: Multistage landing - ClickUp abuse | Sublime Security | 11d ago Feb 27th, 2026 | /feeds/core/detection-rules/link-multistage-landing-clickup-abuse-78a5d035 | |
Link: Multistage landing - FreshDesk knowledge base abuse | Sublime Security | 6mo ago Aug 21st, 2025 | /feeds/core/detection-rules/link-multistage-landing-freshdesk-knowledge-base-abuse-edd6acf7 | |
Link: Multistage landing - JotForm abuse | Sublime Security | 3mo ago Dec 1st, 2025 | /feeds/core/detection-rules/link-multistage-landing-jotform-abuse-5b64326f | |
Link: Multistage landing - Microsoft Forms abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-multistage-landing-microsoft-forms-abuse-85a2cd12 | |
Link: Multistage landing - Trello board abuse | Sublime Security | 6mo ago Aug 20th, 2025 | /feeds/core/detection-rules/link-multistage-landing-trello-board-abuse-14a5b23a | |
Link: PDF and financial display text to free file host | Sublime Security | 5mo ago Sep 24th, 2025 | /feeds/core/detection-rules/link-pdf-and-financial-display-text-to-free-file-host-b010740b | |
Link: PDF filename impersonation with credential theft language | Sublime Security | 26d ago Feb 12th, 2026 | /feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513 | |
Link: Personal SharePoint with invalid recipients and credential theft language | Sublime Security | 1mo ago Jan 23rd, 2026 | /feeds/core/detection-rules/link-personal-sharepoint-with-invalid-recipients-and-credential-theft-language-79d5403d | |
Link: QR code in EML attachment with credential phishing indicators | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/link-qr-code-in-eml-attachment-with-credential-phishing-indicators-9908ed3a | |
Link: QR code with phishing disposition in img or pdf | Sublime Security | 7mo ago Jul 30th, 2025 | /feeds/core/detection-rules/link-qr-code-with-phishing-disposition-in-img-or-pdf-8e8949f6 | |
Link: QR Code with suspicious language (untrusted sender) | Sublime Security | 7mo ago Jul 30th, 2025 | /feeds/core/detection-rules/link-qr-code-with-suspicious-language-untrusted-sender-25a84d1c | |
Link: Recipient email address in 'eta' parameter | Sublime Security | 1mo ago Jan 27th, 2026 | /feeds/core/detection-rules/link-recipient-email-address-in-eta-parameter-d24e42a2 | |
Link: Romance/Sexual Language With Suspicious Link | Sublime Security | 6mo ago Aug 22nd, 2025 | /feeds/core/detection-rules/link-romancesexual-language-with-suspicious-link-d5694cae | |
Link: ScreenConnect installer with suspicious relay domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-screenconnect-installer-with-suspicious-relay-domain-37d21eef | |
Link: Secure SharePoint file share from new or unusual sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-secure-sharepoint-file-share-from-new-or-unusual-sender-74ed3020 | |
Link: Self-sender with sender org in subject and credential theft indicator | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-self-sender-with-sender-org-in-subject-and-credential-theft-indicator-bfa9aa08 | |
Link: Self-sent message with quarterly document review request | Sublime Security | 1mo ago Jan 21st, 2026 | /feeds/core/detection-rules/link-self-sent-message-with-quarterly-document-review-request-3c42cec6 | |
Link: SharePoint filename matches org name | Sublime Security | 1mo ago Feb 6th, 2026 | /feeds/core/detection-rules/link-sharepoint-filename-matches-org-name-cb954726 | |
Link: Spam website with evasion indicators | Sublime Security | 3mo ago Nov 25th, 2025 | /feeds/core/detection-rules/link-spam-website-with-evasion-indicators-08bcd353 | |
Link: Suspicious go.php redirect with document lure | Sublime Security | 1mo ago Feb 6th, 2026 | /feeds/core/detection-rules/link-suspicious-gophp-redirect-with-document-lure-f3d8c227 | |
Link: Suspicious SharePoint document name | Sublime Security | 25d ago Feb 13th, 2026 | /feeds/core/detection-rules/link-suspicious-sharepoint-document-name-f95fee6e | |
Link: Suspicious URL with recipient targeting and special characters | Sublime Security | 17d ago Feb 21st, 2026 | /feeds/core/detection-rules/link-suspicious-url-with-recipient-targeting-and-special-characters-e808be3a | |
Link to auto-downloaded file with Google Drive branding | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-to-auto-downloaded-file-with-google-drive-branding-4b5343be | |
Link to Google Apps Script macro via comment tagging | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-to-google-apps-script-macro-via-comment-tagging-66fecd30 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | Sublime Security | 1mo ago Jan 23rd, 2026 | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Link: Uncommon SharePoint document type with sender's display name | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2 | |
Link: URL fragment with hexadecimal pattern obfuscation | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/link-url-fragment-with-hexadecimal-pattern-obfuscation-51f51aa0 | |
Link: URL scheme obfuscation via split HTML anchors | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-url-scheme-obfuscation-via-split-html-anchors-10375948 | |
Link: URL shortener with copy-paste instructions and credential theft language | Sublime Security | 1mo ago Feb 6th, 2026 | /feeds/core/detection-rules/link-url-shortener-with-copy-paste-instructions-and-credential-theft-language-a0a2c573 | |
Link: Webflow link from unsolicited sender | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-webflow-link-from-unsolicited-sender-d4f3b8cf | |
Link: WordPress login page with Blogspot Binance scam | Sublime Security | 21d ago Feb 17th, 2026 | /feeds/core/detection-rules/link-wordpress-login-page-with-blogspot-binance-scam-909dfae5 | |
Link: Zoho form link from unsolicited sender | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-zoho-form-link-from-unsolicited-sender-eb04a9f2 | |
Low reputation link to auto-downloaded HTML file with smuggling indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6 | |
Mass campaign: Cross Site Scripting (XSS) attempt | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/mass-campaign-cross-site-scripting-xss-attempt-6cbb7124 | |
Microsoft device code phishing | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/microsoft-device-code-phishing-61f3ae67 | |
Non-RFC compliant calendar files from unsolicited sender | Sublime Security | 5mo ago Oct 1st, 2025 | /feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100 | |
Notion suspicious file share | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/notion-suspicious-file-share-f7307929 | |
Open redirect: Cartoon Network | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-cartoon-network-7435e057 | |
Open redirect: giving.lluh.org | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-givinglluhorg-a2bf1099 | |
Open redirect (go2.aspx) leading to Microsoft credential phishing | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-go2aspx-leading-to-microsoft-credential-phishing-51667096 | |
Open Redirect: Google domain with /url path and suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74 | |
Open redirect: Klaviyo | Sublime Security | 2y ago May 14th, 2024 | /feeds/core/detection-rules/open-redirect-klaviyo-ce5a370a | |
Open redirect: marketing.edinburghairport.com | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-marketingedinburghairportcom-33a47565 |