Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: Calendar invite with suspicious link leading to an open redirect | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-calendar-invite-with-suspicious-link-leading-to-an-open-redirect-5d6294c7 | |
Attachment: Callback phishing solicitation via image file | @vector_sec | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback phishing solicitation via pdf file | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: PDF file with link to fake Bitcoin exchange | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151 | |
BEC/Fraud: Penpal scam | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-penpal-scam-a4bdfa17 | |
BEC/Fraud: Romance scam | Sublime Security | 16d ago Jan 22nd, 2026 | /feeds/core/detection-rules/becfraud-romance-scam-0243cdaa | |
BEC/Fraud: Scam lure with freemail pivot | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-scam-lure-with-freemail-pivot-898c769f | |
BEC/Fraud: Student loan callback phishing | Sublime Security | 5mo ago Sep 5th, 2025 | /feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3 | |
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
BEC with unusual reply-to or return-path mismatch | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Brand impersonation: Hulu | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-hulu-6833de58 | |
Brand impersonation: KnowBe4 | Sublime Security | 2y ago Nov 25th, 2024 | /feeds/core/detection-rules/brand-impersonation-knowbe4-7c798386 | |
Brand impersonation: Norton | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-norton-32bd9efd | |
Brand impersonation: SiriusXM | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/brand-impersonation-siriusxm-70eb3792 | |
Brand impersonation: Zoom via lookalike domain | Sublime Security | 2d ago Feb 5th, 2026 | /feeds/core/detection-rules/brand-impersonation-zoom-via-lookalike-domain-b9d5e4b5 | |
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited) | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/business-email-compromise-bec-attempt-with-masked-recipients-and-reply-to-mismatch-unsolicited-682191bf | |
Callback phishing: AOL senders with suspicious HTML template or PDF attachment | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed | |
Callback phishing: Social Security Administration fraud | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Callback phishing solicitation in message body | Sublime Security | 3mo ago Oct 17th, 2025 | /feeds/core/detection-rules/callback-phishing-solicitation-in-message-body-10a3a446 | |
Callback phishing via e-signature service | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/callback-phishing-via-e-signature-service-ed37b4fd | |
Callback phishing via Google Group abuse | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b | |
Callback phishing via Intuit service abuse | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Callback phishing via Zoho service abuse | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec | |
Canva infrastructure abuse | Sublime Security | 14h ago Feb 6th, 2026 | /feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c | |
ClickFunnels link infrastructure abuse | Sublime Security | 2d ago Feb 5th, 2026 | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Constant Contact link infrastructure abuse | Sublime Security | 3mo ago Oct 17th, 2025 | /feeds/core/detection-rules/constant-contact-link-infrastructure-abuse-8c5e8e4c | |
COVID-19 themed fraud with sender and reply-to mismatch or compensation award | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/covid-19-themed-fraud-with-sender-and-reply-to-mismatch-or-compensation-award-a16480ef | |
Credential phishing: Engaging language and other indicators (untrusted sender) | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
Credential phishing language and suspicious indicators (unknown sender) | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-language-and-suspicious-indicators-unknown-sender-89c186f7 | |
Domain impersonation: Freemail reply-to local lookalike with financial request | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/domain-impersonation-freemail-reply-to-local-lookalike-with-financial-request-43026a40 | |
Employee impersonation: Payroll fraud | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/employee-impersonation-payroll-fraud-2beb7d85 | |
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender | Sublime Security | 1y ago Feb 3rd, 2025 | /feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213 | |
Fake message thread - Untrusted sender with a mismatched freemail reply-to address | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-message-thread-untrusted-sender-with-a-mismatched-freemail-reply-to-address-ca64e819 | |
Free email provider sender with mismatched provider reply-to | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/free-email-provider-sender-with-mismatched-provider-reply-to-fcd831d0 | |
Google services using g.co shortlinks | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/google-services-using-gco-shortlinks-09ff8a73 | |
Honorific greeting BEC attempt with sender and reply-to mismatch | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/honorific-greeting-bec-attempt-with-sender-and-reply-to-mismatch-aa41b1b7 | |
Impersonation: Chrome Web Store policy | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/impersonation-chrome-web-store-policy-4a98f283 | |
Impersonation: Executive using numbered local part | Sublime Security | 8d ago Jan 30th, 2026 | /feeds/core/detection-rules/impersonation-executive-using-numbered-local-part-8e005a22 | |
Impersonation: Suspected supplier impersonation with suspicious content | Sublime Security | 1y ago Feb 3rd, 2025 | /feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce | |
Link abuse: Self-service creation platform link with suspicious recipient behavior | Sublime Security | 2mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/link-abuse-self-service-creation-platform-link-with-suspicious-recipient-behavior-384ad135 | |
Link: Apple App Store malicious ad manager themed apps from free email provider | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/link-apple-app-store-malicious-ad-manager-themed-apps-from-free-email-provider-9ce402c6 | |
Link: Apple TestFlight from free email provider | Sublime Security | 3mo ago Oct 17th, 2025 | /feeds/core/detection-rules/link-apple-testflight-from-free-email-provider-9b447f1f | |
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/link-google-calendar-invite-linking-to-an-open-redirect-from-an-untrusted-freemail-sender-bb4f1ea9 | |
Link: Invoice or receipt from freemail sender with customer service number | @vector_sec | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/link-invoice-or-receipt-from-freemail-sender-with-customer-service-number-3825232d | |
Link: Multistage landing - Abused Google Drive | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4 | |
Link: PDF and financial display text to free file host | Sublime Security | 4mo ago Sep 24th, 2025 | /feeds/core/detection-rules/link-pdf-and-financial-display-text-to-free-file-host-b010740b | |
Mass campaign: Cross Site Scripting (XSS) attempt | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/mass-campaign-cross-site-scripting-xss-attempt-6cbb7124 | |
Message traversed multiple onmicrosoft.com tenants | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/message-traversed-multiple-onmicrosoftcom-tenants-9cf01c0d | |
Reconnaissance: Email address harvesting attempt | Sublime Security | 26d ago Jan 12th, 2026 | /feeds/core/detection-rules/reconnaissance-email-address-harvesting-attempt-bb31efbc |