Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Service abuse: Roomsy with unrelated body content | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/service-abuse-roomsy-with-unrelated-body-content-18e08a5a | |
Service abuse: Sendgrid credential theft with personalized request targeting single recipient | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-sendgrid-credential-theft-with-personalized-request-targeting-single-recipient-b9680da1 | |
Service abuse: SendGrid impersonation via Sendgrid from new sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-sendgrid-impersonation-via-sendgrid-from-new-sender-aa5d18ca | |
Service abuse: SurveyMonkey survey from newly registered domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-surveymonkey-survey-from-newly-registered-domain-50a85fa7 | |
Service abuse: Suspicious Zoom Docs link | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/service-abuse-suspicious-zoom-docs-link-064b2594 | |
Service abuse: Task management message sent via SendGrid | Sublime Security | 5mo ago Oct 6th, 2025 | /feeds/core/detection-rules/service-abuse-task-management-message-sent-via-sendgrid-568a63f5 | |
Service abuse: Trello board invitation with VIP impersonation | Sublime Security | 1mo ago Feb 3rd, 2026 | /feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b | |
Sharepoint file share with suspicious recipients pattern | Sublime Security | 2y ago Mar 27th, 2024 | /feeds/core/detection-rules/sharepoint-file-share-with-suspicious-recipients-pattern-998a0826 | |
Sharepoint link likely unrelated to sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
Sharepoint online with external recipients and external display name | @vector_sec | 3y ago Aug 17th, 2023 | /feeds/core/detection-rules/sharepoint-online-with-external-recipients-and-external-display-name-5579bb4b | |
SharePoint OTP for filename matching org name | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/sharepoint-otp-for-filename-matching-org-name-89911cbd | |
Shopify infrastructure abuse | Sublime Security | 2y ago Nov 13th, 2024 | /feeds/core/detection-rules/shopify-infrastructure-abuse-844ff164 | |
Spam: BlackBaud infrastructure abuse | Sublime Security | 2y ago Jan 17th, 2024 | /feeds/core/detection-rules/spam-blackbaud-infrastructure-abuse-3db46591 | |
Spam: Fake dating profile notification | Sublime Security | 3mo ago Dec 3rd, 2025 | /feeds/core/detection-rules/spam-fake-dating-profile-notification-0f33fea2 | |
Spam: Firebase password reset from suspicious sender | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/spam-firebase-password-reset-from-suspicious-sender-a2f673a9 | |
Spam: Link to blob.core.windows.net from new domain (<30d) | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/spam-link-to-blobcorewindowsnet-from-new-domain-less30d-a09b3800 | |
Spam: Mastercard promotional content with image-based body | Sublime Security | 4mo ago Nov 5th, 2025 | /feeds/core/detection-rules/spam-mastercard-promotional-content-with-image-based-body-5f2cb559 | |
Spam: Personalized subject and greetings via Salesforce Marketing Cloud | Sublime Security | 4mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/spam-personalized-subject-and-greetings-via-salesforce-marketing-cloud-c77f127f | |
Spam: Sendersrv.com with financial communications and unsubscribe language | Sublime Security | 14d ago Feb 24th, 2026 | /feeds/core/detection-rules/spam-sendersrvcom-with-financial-communications-and-unsubscribe-language-69570820 | |
Spam: Single recipient duplicated in cc | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/spam-single-recipient-duplicated-in-cc-387cacc9 | |
Spam: Unsolicited WordPress account creation or password reset request | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/spam-unsolicited-wordpress-account-creation-or-password-reset-request-e182b6b2 | |
SPF temp error | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/spf-temp-error-2df7e839 | |
Spoofable internal domain with suspicious signals | Sublime Security | 7mo ago Jul 23rd, 2025 | /feeds/core/detection-rules/spoofable-internal-domain-with-suspicious-signals-40089d69 | |
Stripe invoice abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/stripe-invoice-abuse-90162d16 | |
Subject and sender display name contains matching long alphanumeric string | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/subject-and-sender-display-name-contains-matching-long-alphanumeric-string-a8a0c831 | |
Subject: Suspicious bracketed reference | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/subject-suspicious-bracketed-reference-663dbce4 | |
Suspicious attachment with unscannable Cloudflare link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f | |
Suspicious DocuSign share from new domain | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/suspicious-docusign-share-from-new-domain-d430a1f3 | |
Suspicious Links to Cloudflare R2 and Edge Services | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-links-to-cloudflare-r2-and-edge-services-5dd3e5c8 | |
Suspicious mailer received from Gmail servers | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/suspicious-mailer-received-from-gmail-servers-f05f04ee | |
Suspicious message with unscannable Cloudflare link | Sublime Security | 5mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/suspicious-message-with-unscannable-cloudflare-link-70ea21f9 | |
Suspicious message with unscannable Vercel link | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/suspicious-message-with-unscannable-vercel-link-b5acffe7 | |
Suspicious newly registered reply-to domain with engaging financial or urgent language | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-newly-registered-reply-to-domain-with-engaging-financial-or-urgent-language-db4d9bb3 | |
Suspicious recipient pattern and language with low reputation link to login | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipient-pattern-and-language-with-low-reputation-link-to-login-a8ea0402 | |
Suspicious recipients pattern with NLU credential theft indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipients-pattern-with-nlu-credential-theft-indicators-8e121c3e | |
Suspicious recipients pattern with no Compauth pass and suspicious content | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipients-pattern-with-no-compauth-pass-and-suspicious-content-34fb65f6 | |
Suspicious request for financial information | Sublime Security | 3mo ago Dec 6th, 2025 | /feeds/core/detection-rules/suspicious-request-for-financial-information-4ebdaa4d | |
Suspicious SharePoint file sharing | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c | |
Tax Form: W-8BEN solicitation | Sublime Security | 15d ago Feb 23rd, 2026 | /feeds/core/detection-rules/tax-form-w-8ben-solicitation-a64edb69 | |
Unusually long local part from untrusted sender address | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/unusually-long-local-part-from-untrusted-sender-address-91a9cd45 | |
VIP / Executive impersonation in subject (untrusted) | Sublime Security | 6mo ago Aug 14th, 2025 | /feeds/core/detection-rules/vip-executive-impersonation-in-subject-untrusted-0a641fe5 | |
VIP / Executive impersonation (strict match, untrusted) | Sublime Security | 13d ago Feb 25th, 2026 | /feeds/core/detection-rules/vip-executive-impersonation-strict-match-untrusted-e42c84b7 | |
VIP impersonation: Fake thread with display name match, email mismatch | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28 | |
VIP Impersonation via Google Group relay with suspicious indicators | Sublime Security | 3mo ago Nov 12th, 2025 | /feeds/core/detection-rules/vip-impersonation-via-google-group-relay-with-suspicious-indicators-57f9cd3b | |
VIP impersonation with charitable donation fraud | Sublime Security | 3mo ago Nov 12th, 2025 | /feeds/core/detection-rules/vip-impersonation-with-charitable-donation-fraud-35a56b8e | |
VIP impersonation with invoicing request | Sublime Security | 2y ago Apr 23rd, 2024 | /feeds/core/detection-rules/vip-impersonation-with-invoicing-request-a60f89a0 | |
VIP impersonation with w2 request with reply-to mismatch | Sublime Security | 11d ago Feb 27th, 2026 | /feeds/core/detection-rules/vip-impersonation-with-w2-request-with-reply-to-mismatch-e7e73fad | |
VIP local_part impersonation from unsolicited sender | Sublime Security | 6mo ago Aug 12th, 2025 | /feeds/core/detection-rules/vip-localpart-impersonation-from-unsolicited-sender-74035fdc | |
Xero infrastructure abuse | Sublime Security | 4mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/xero-infrastructure-abuse-918c4bd3 | |
X (Twitter) impersonation with credential phishing motives | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/x-twitter-impersonation-with-credential-phishing-motives-0b60dca6 |