Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: LNK with embedded content | @ajpc500 | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a | |
Attachment: Macro files containing MHT content | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b | |
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation | @ajpc500 | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0 | |
Attachment: Malformed OLE file | Sublime Security | 2y ago Nov 25th, 2024 | /feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f | |
Attachment: Malicious OneNote commands | @Kyle_Parrish_ | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb | |
Attachment: Microsoft 365 credential phishing | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: MSI installer file | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9 | |
Attachment: Office document loads remote document template | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-loads-remote-document-template-d9601104 | |
Attachment: Office document with VSTO add-in | @vector_sec | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: Office file with suspicious function calls or downloaded file path | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969 | |
Attachment: Password-protected PDF with fake document indicators | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 | |
Attachment: PDF file with link to fake Bitcoin exchange | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF generated with wkhtmltopdf tool and default title | Sublime Security | 1mo ago Dec 19th, 2025 | /feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with link to DMG file download | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with Microsoft Purview message impersonation | Sublime Security | 2mo ago Nov 10th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964 | |
Attachment: PDF with personal Microsoft OneNote URL | Sublime Security | 1mo ago Dec 4th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-personal-microsoft-onenote-url-0675bbc5 | |
Attachment: PDF with recipient email in link | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f | |
Attachment: PDF with suspicious HeadlessChrome metadata | Sublime Security | 15d ago Jan 8th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-headlesschrome-metadata-eda99b1d | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: Potential sandbox evasion in Office file | @ajpc500 | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681 | |
Attachment: PowerPoint with suspicious hyperlink | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1 | |
Attachment: PowerShell content | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-powershell-content-c12566db | |
Attachment: QR code link with base64-encoded recipient address | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with recipient targeting and special characters | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09 | |
Attachment: QR code with userinfo portion | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c | |
Attachment: RDP connection file | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-rdp-connection-file-2409a422 | |
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender | Sublime Security | 2mo ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7 | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 2y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: RTF file with suspicious link | Sublime Security | 6mo ago Jul 23rd, 2025 | /feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa | |
Attachment: RTF with embedded content | @amitchell516 | 2y ago Feb 26th, 2024 | /feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7 | |
Attachment: SFX archive containing commands | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-sfx-archive-containing-commands-343e6c8c | |
Attachment: Small text file with link containing recipient email address | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d | |
Attachment: Soda PDF producer with encryption themes | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4 | |
Attachment soliciting user to enable macros | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515 | |
Attachment: Suspicious employee policy update document lure | Sublime Security | 28d ago Dec 26th, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment: Suspicious PDF created with headless browser | Sublime Security | 4mo ago Sep 17th, 2025 | /feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7 | |
Attachment: SVG file execution | Sublime Security | 5mo ago Aug 8th, 2025 | /feeds/core/detection-rules/attachment-svg-file-execution-084b0cde | |
Attachment: SVG files with evasion elements | Sublime Security | 5mo ago Aug 8th, 2025 | /feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60 | |
Attachment: Uncommon compressed file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-uncommon-compressed-file-0c6fba7a | |
Attachment: USDA bid invitation impersonation | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
Attachment: Web files with suspicious comments | Sublime Security | 5mo ago Aug 8th, 2025 | /feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17 | |
Attachment: WinRAR CVE-2025-8088 exploitation | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b |