Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
QR code to auto-download of a suspicious file type (unsolicited) | Sublime Security | 4mo ago Oct 17th, 2025 | /feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2 | |
QR Code with suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/qr-code-with-suspicious-indicators-04f5c34f | |
Reconnaissance: Email address harvesting attempt | Sublime Security | 15d ago Feb 23rd, 2026 | /feeds/core/detection-rules/reconnaissance-email-address-harvesting-attempt-bb31efbc | |
Recruitee Infrastructure Abuse | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/recruitee-infrastructure-abuse-31cab83d | |
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755 | |
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern | Sublime Security | 18h ago Mar 9th, 2026 | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329 | |
Salesforce infrastructure abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70 | |
Self-sent fake PDF attachment with misleading link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/self-sent-fake-pdf-attachment-with-misleading-link-8a285d2e | |
Service abuse: Apple TestFlight with suspicious developer reference | Sublime Security | 1mo ago Feb 6th, 2026 | /feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0 | |
Service abuse: AppSheet infrastructure with suspicious indicators | Sublime Security | 5mo ago Oct 6th, 2025 | /feeds/core/detection-rules/service-abuse-appsheet-infrastructure-with-suspicious-indicators-5937646a | |
Service abuse: Callback phishing via Microsoft Teams invite | Sublime Security | 2mo ago Dec 12th, 2025 | /feeds/core/detection-rules/service-abuse-callback-phishing-via-microsoft-teams-invite-13e35e5f | |
Service abuse: File sharing impersonation with external SharePoint links | Sublime Security | 16h ago Mar 9th, 2026 | /feeds/core/detection-rules/service-abuse-file-sharing-impersonation-with-external-sharepoint-links-729661f2 | |
Service abuse: FlipHTML5 with attachment deception and credential theft language | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-fliphtml5-with-attachment-deception-and-credential-theft-language-02464799 | |
Service abuse: Formester with suspicious link behavior | Sublime Security | 2mo ago Dec 19th, 2025 | /feeds/core/detection-rules/service-abuse-formester-with-suspicious-link-behavior-e4b74fd4 | |
Service abuse: Google account notification with links to free file host | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/service-abuse-google-account-notification-with-links-to-free-file-host-59786115 | |
Service abuse: Google application integration redirecting to suspicious hosts | Sublime Security | 2mo ago Dec 17th, 2025 | /feeds/core/detection-rules/service-abuse-google-application-integration-redirecting-to-suspicious-hosts-473d3247 | |
Service abuse: Monday.com infrastructure with phishing intent | Sublime Security | 18h ago Mar 9th, 2026 | /feeds/core/detection-rules/service-abuse-mondaycom-infrastructure-with-phishing-intent-a346e3b1 | |
Service abuse: Nylas tracking subdomain with suspicious content | Sublime Security | 4d ago Mar 6th, 2026 | /feeds/core/detection-rules/service-abuse-nylas-tracking-subdomain-with-suspicious-content-a3a6c896 | |
Service abuse: Random Google Firebase sender address with suspicious content | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9 | |
Service abuse: SendGrid-formatted link with actor-controlled fragment | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/service-abuse-sendgrid-formatted-link-with-actor-controlled-fragment-cb511fe9 | |
Service abuse: Vimeo with external plain-text links in message | Sublime Security | 4d ago Mar 6th, 2026 | /feeds/core/detection-rules/service-abuse-vimeo-with-external-plain-text-links-in-message-ba94ae6b | |
Service abuse: Wix redirect through bulk mailer domains | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-wix-redirect-through-bulk-mailer-domains-60af216d | |
Sharepoint file share with suspicious recipients pattern | Sublime Security | 2y ago Mar 27th, 2024 | /feeds/core/detection-rules/sharepoint-file-share-with-suspicious-recipients-pattern-998a0826 | |
Sharepoint link likely unrelated to sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
Shopify infrastructure abuse | Sublime Security | 2y ago Nov 13th, 2024 | /feeds/core/detection-rules/shopify-infrastructure-abuse-844ff164 | |
Spam: Commonly observed formatting of unauthorized free giveaways | Sublime Security | 1mo ago Jan 14th, 2026 | /feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3 | |
Spam: Fake dating profile notification | Sublime Security | 3mo ago Dec 3rd, 2025 | /feeds/core/detection-rules/spam-fake-dating-profile-notification-0f33fea2 | |
Spam: Fake photo share | Sublime Security | 4mo ago Nov 8th, 2025 | /feeds/core/detection-rules/spam-fake-photo-share-eb086f7d | |
Spam: Firebase password reset from suspicious sender | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/spam-firebase-password-reset-from-suspicious-sender-a2f673a9 | |
Spam/fraud: Predatory journal/research paper request | Sublime Security | 4mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b | |
Spam: Link to blob.core.windows.net from new domain (<30d) | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/spam-link-to-blobcorewindowsnet-from-new-domain-less30d-a09b3800 | |
Spam: New job cold outreach from unsolicited sender | Sublime Security | 5mo ago Sep 29th, 2025 | /feeds/core/detection-rules/spam-new-job-cold-outreach-from-unsolicited-sender-ec39b789 | |
Spam: New link domain (<=10d) and emojis | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/spam-new-link-domain-less10d-and-emojis-33677993 | |
Spam: Single recipient duplicated in cc | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/spam-single-recipient-duplicated-in-cc-387cacc9 | |
Spam: Unsolicited WordPress account creation or password reset request | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/spam-unsolicited-wordpress-account-creation-or-password-reset-request-e182b6b2 | |
Spam: URL shortener with short body content and emojis | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/spam-url-shortener-with-short-body-content-and-emojis-b7797e4c | |
Suspicious attachment with unscannable Cloudflare link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f | |
Suspicious Links to Cloudflare R2 and Edge Services | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-links-to-cloudflare-r2-and-edge-services-5dd3e5c8 | |
Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-link-to-looker-studio-lookerstudiogooglecom-from-a-new-and-unsolicited-sender-dbb50cb4 | |
Suspicious message with unscannable Cloudflare link | Sublime Security | 5mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/suspicious-message-with-unscannable-cloudflare-link-70ea21f9 | |
Suspicious message with unscannable Vercel link | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/suspicious-message-with-unscannable-vercel-link-b5acffe7 | |
Suspicious newly registered reply-to domain with engaging financial or urgent language | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-newly-registered-reply-to-domain-with-engaging-financial-or-urgent-language-db4d9bb3 | |
Suspicious Office 365 app authorization (OAuth) link | Sublime Security | 5d ago Mar 5th, 2026 | /feeds/core/detection-rules/suspicious-office-365-app-authorization-oauth-link-13a8c430 | |
Suspicious recipient pattern and language with low reputation link to login | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipient-pattern-and-language-with-low-reputation-link-to-login-a8ea0402 | |
Suspicious recipients pattern with NLU credential theft indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipients-pattern-with-nlu-credential-theft-indicators-8e121c3e | |
Suspicious recipients pattern with no Compauth pass and suspicious content | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipients-pattern-with-no-compauth-pass-and-suspicious-content-34fb65f6 | |
Suspicious SharePoint file sharing | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c | |
Tax Form: W-8BEN solicitation | Sublime Security | 15d ago Feb 23rd, 2026 | /feeds/core/detection-rules/tax-form-w-8ben-solicitation-a64edb69 | |
Truth Social infrastructure abuse via link redirect | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/truth-social-infrastructure-abuse-via-link-redirect-aaaa30a8 | |
Twitter infrastructure abuse via link shortener | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/twitter-infrastructure-abuse-via-link-shortener-99ca165e |