Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: ICS with embedded Javascript in SVG file | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/attachment-ics-with-embedded-javascript-in-svg-file-d5201a19 | |
Attachment: Invoice and W-9 PDFs with suspicious creators | Sublime Security | 1mo ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32 | |
Attachment: JavaScript file with suspicious base64-encoded executable | Sublime Security | 2y ago Apr 1st, 2024 | /feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3 | |
Attachment: Legal themed message or PDF with suspicious indicators | Sublime Security | 1mo ago Feb 5th, 2026 | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: Link file with UNC path | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-link-file-with-unc-path-3b7ee0fb | |
Attachment: Link to Doubleclick.net open redirect | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: LNK file | @ajpc500 | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-lnk-file-44532abe | |
Attachment: LNK with embedded content | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a | |
Attachment: Macro files containing MHT content | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b | |
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0 | |
Attachment: Malformed OLE file | Sublime Security | 2y ago Nov 25th, 2024 | /feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f | |
Attachment: Malicious OneNote commands | @Kyle_Parrish_ | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb | |
Attachment: Microsoft 365 credential phishing | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: MSI installer file | @ajpc500 | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9 | |
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK | Sublime Security | 1mo ago Jan 28th, 2026 | /feeds/core/detection-rules/attachment-ms-office-or-rtf-file-with-shellexplorer1-com-object-with-embedded-lnk-53a29f61 | |
Attachment: Office document loads remote document template | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-loads-remote-document-template-d9601104 | |
Attachment: Office document with VSTO add-in | @vector_sec | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: Office file with suspicious function calls or downloaded file path | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969 | |
Attachment: Password-protected PDF with fake document indicators | Sublime Security | 1mo ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 | |
Attachment: PDF contains W9 or invoice YARA signatures | Sublime Security | 1mo ago Feb 4th, 2026 | /feeds/core/detection-rules/attachment-pdf-contains-w9-or-invoice-yara-signatures-9a8e8a98 | |
Attachment: PDF file with link to fake Bitcoin exchange | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF generated with wkhtmltopdf tool and default title | Sublime Security | 2mo ago Dec 19th, 2025 | /feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8 | |
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/attachment-pdf-object-hash-encrypted-pdfs-with-fake-payment-notification-a8a19bae | |
Attachment: PDF with a suspicious string and single URL | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/attachment-pdf-with-a-suspicious-string-and-single-url-3bdbb7ad | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with link to DMG file download | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with Microsoft Purview message impersonation | Sublime Security | 3mo ago Nov 10th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964 | |
Attachment: PDF with multistage landing - ClickUp abuse | Sublime Security | 11d ago Feb 27th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-multistage-landing-clickup-abuse-0dc40316 | |
Attachment: PDF with password in filename matching body text | Sublime Security | 19d ago Feb 19th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-password-in-filename-matching-body-text-2c9c3b24 | |
Attachment: PDF with personal Microsoft OneNote URL | Sublime Security | 3mo ago Dec 4th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-personal-microsoft-onenote-url-0675bbc5 | |
Attachment: PDF with recipient email in link | Sublime Security | 7d ago Mar 3rd, 2026 | /feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f | |
Attachment: PDF with ReportLab library and default metadata | Sublime Security | 11d ago Feb 27th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-reportlab-library-and-default-metadata-7094bfdd | |
Attachment: PDF with suspicious HeadlessChrome metadata | Sublime Security | 2mo ago Jan 8th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-headlesschrome-metadata-eda99b1d | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: PDF with suspicious link and action-oriented language | Sublime Security | 4d ago Mar 6th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-link-and-action-oriented-language-816d33a0 | |
Attachment: Potential sandbox evasion in Office file | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681 | |
Attachment: PowerPoint with suspicious hyperlink | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1 | |
Attachment: PowerShell content | @ajpc500 | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-powershell-content-c12566db | |
Attachment: QR code link with base64-encoded recipient address | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with encoded recipient targeting and redirect indicators | Sublime Security | 1mo ago Jan 30th, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-encoded-recipient-targeting-and-redirect-indicators-5d51e565 | |
Attachment: QR code with recipient targeting and special characters | Sublime Security | 17d ago Feb 21st, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09 | |
Attachment: QR code with suspicious URL patterns in EML file | Sublime Security | 17d ago Feb 21st, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-suspicious-url-patterns-in-eml-file-2289acd5 | |
Attachment: QR code with userinfo portion | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c |