Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: Adobe image lure in body or attachment with suspicious link | Sublime Security | 18d ago Jan 5th, 2026 | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
Attachment: Calendar invite with suspicious link leading to an open redirect | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-calendar-invite-with-suspicious-link-leading-to-an-open-redirect-5d6294c7 | |
Attachment: Callback phishing solicitation via image file | @vector_sec | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: DocuSign impersonation via PDF linking to new domain | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282 | |
Attachment: EML file with IPFS links | Sublime Security | 2mo ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7 | |
Attachment: EML with link to credential phishing page | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: EML with SharePoint files shared from GoDaddy federated tenants | Sublime Security | 4mo ago Sep 23rd, 2025 | /feeds/core/detection-rules/attachment-eml-with-sharepoint-files-shared-from-godaddy-federated-tenants-02c1f590 | |
Attachment: EML with Sharepoint link likely unrelated to sender | Sublime Security | 4mo ago Sep 23rd, 2025 | /feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b | |
Attachment: Fake Slack installer | Sublime Security | 3y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake voicemail via PDF | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fake Zoom installer | Sublime Security | 3y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: HTML smuggling 'body onload' linking to suspicious destination | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed | |
Attachment: HTML smuggling Microsoft sign in | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385 | |
Attachment: HTML smuggling - QR Code with suspicious links | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d | |
Attachment: HTML smuggling with atob and high entropy | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11 | |
Attachment: HTML smuggling with auto-downloaded file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-auto-downloaded-file-abf724f5 | |
Attachment: Legal themed message or PDF with suspicious indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: Link to Doubleclick.net open redirect | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Office document loads remote document template | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-loads-remote-document-template-d9601104 | |
Attachment: Office document with VSTO add-in | @vector_sec | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: PDF file with link to fake Bitcoin exchange | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with link to DMG file download | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with recipient email in link | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: QR code with credential phishing indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1 | |
Attachment: QR code with recipient targeting and special characters | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09 | |
Attachment: RTF file with suspicious link | Sublime Security | 6mo ago Jul 23rd, 2025 | /feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa | |
Attachment: Small text file with link containing recipient email address | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d | |
Brand impersonation: AliExpress | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8 | |
Brand impersonation: Chase bank with credential phishing indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-chase-bank-with-credential-phishing-indicators-d9577856 | |
Brand impersonation: Coinbase with suspicious links | Sublime Security | 4mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e | |
Brand impersonation: DocuSign | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c | |
Brand impersonation: DocuSign PDF attachment with suspicious link | Sublime Security | 3mo ago Oct 22nd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains | Sublime Security | 1mo ago Dec 10th, 2025 | /feeds/core/detection-rules/brand-impersonation-fake-docusign-html-table-not-linking-to-docusign-domains-28923dde | |
Brand impersonation: Fake Fax | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a | |
Brand Impersonation: Gemini Trust Company | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-gemini-trust-company-99574c94 | |
Brand impersonation: Google Careers | Sublime Security | 2mo ago Nov 12th, 2025 | /feeds/core/detection-rules/brand-impersonation-google-careers-cf2d97ad | |
Brand impersonation: Google Drive fake file share | Sublime Security | 1mo ago Dec 19th, 2025 | /feeds/core/detection-rules/brand-impersonation-google-drive-fake-file-share-b424a941 | |
Brand impersonation: Google fake sign-in warning | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee | |
Brand impersonation: Google Workspace alert notification | Sublime Security | 1mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/brand-impersonation-google-workspace-alert-notification-143ffbc4 | |
Brand impersonation: Microsoft logo or suspicious language with open redirect | Sublime Security | 2y ago Mar 7th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-logo-or-suspicious-language-with-open-redirect-27b8d8d8 | |
Brand impersonation: Microsoft Planner with suspicious link | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08 | |
Brand impersonation: Microsoft Teams invitation | Sublime Security | 1mo ago Dec 15th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
Brand impersonation: Microsoft with low reputation links | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Brand impersonation: Navan | Sublime Security | 4mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/brand-impersonation-navan-3573e9a8 |