Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Compensation review with QR code in attached EML | Sublime Security | 3mo ago Nov 26th, 2025 | /feeds/core/detection-rules/compensation-review-with-qr-code-in-attached-eml-98a2f03c | |
Credential phishing: Engaging language with IPFS link | Sublime Security | 2y ago May 3rd, 2024 | /feeds/core/detection-rules/credential-phishing-engaging-language-with-ipfs-link-996c4d83 | |
Credential phishing: Fake password expiration from new and unsolicited sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/credential-phishing-fake-password-expiration-from-new-and-unsolicited-sender-5d9c3a75 | |
Credential phishing link (unknown sender) | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-link-unknown-sender-a278012b | |
Credential phishing: Suspicious e-sign agreement document notification | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8 | |
Credential theft: Gophish abuse with hidden tracking image | Sublime Security | 4mo ago Nov 5th, 2025 | /feeds/core/detection-rules/credential-theft-gophish-abuse-with-hidden-tracking-image-59915ceb | |
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b | |
Deceptive Dropbox mention | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/deceptive-dropbox-mention-58a107bc | |
EML attachment with credential theft language (unknown sender) | Sublime Security | 5mo ago Oct 3rd, 2025 | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
Extortion / sextortion (untrusted sender) | Sublime Security | 1mo ago Jan 22nd, 2026 | /feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb | |
Fake message thread - Untrusted sender with a mismatched freemail reply-to address | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-message-thread-untrusted-sender-with-a-mismatched-freemail-reply-to-address-ca64e819 | |
Fake shipping notification with link to free file hosting | Sublime Security | 2y ago Jul 10th, 2024 | /feeds/core/detection-rules/fake-shipping-notification-with-link-to-free-file-hosting-6d3fe05e | |
Fake thread with suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-thread-with-suspicious-indicators-c2e18a57 | |
Fake voicemail notification (untrusted sender) | Sublime Security | 1mo ago Jan 22nd, 2026 | /feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787 | |
Fake Zoho Sign template abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-zoho-sign-template-abuse-785fd0d5 | |
Google share notification with suspicious comments | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/google-share-notification-with-suspicious-comments-c69c9924 | |
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation | Sublime Security | 4mo ago Oct 17th, 2025 | /feeds/core/detection-rules/html-bidirectional-bidi-html-override-with-right-to-left-obfuscation-f93940d2 | |
HTML smuggling with atob in message body | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/html-smuggling-with-atob-in-message-body-0f86851f | |
Image as content with a link to an open redirect (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b | |
Impersonation: Chrome Web Store policy | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/impersonation-chrome-web-store-policy-4a98f283 | |
Impersonation: Fake Gmail attachment | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-fake-gmail-attachment-0f5a4e14 | |
Impersonation: SharePoint reply header anomaly | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-sharepoint-reply-header-anomaly-78875848 | |
Impersonation: Social Security Administration (SSA) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-social-security-administration-ssa-6196767e | |
Inline image as message with attachment or link | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/inline-image-as-message-with-attachment-or-link-823d7107 | |
Link: Adobe share with suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-adobe-share-with-suspicious-indicators-b33cae80 | |
Link: Display text with excessive right-to-left mark characters | Sublime Security | 1mo ago Jan 21st, 2026 | /feeds/core/detection-rules/link-display-text-with-excessive-right-to-left-mark-characters-a45cfd4c | |
Link: File sharing pretext with suspicious body and link | Sublime Security | 4mo ago Oct 10th, 2025 | /feeds/core/detection-rules/link-file-sharing-pretext-with-suspicious-body-and-link-c5718a8e | |
Link: Microsoft impersonation using hosted png with suspicious link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-microsoft-impersonation-using-hosted-png-with-suspicious-link-07c696d4 | |
Link: PDF and financial display text to free file host | Sublime Security | 5mo ago Sep 24th, 2025 | /feeds/core/detection-rules/link-pdf-and-financial-display-text-to-free-file-host-b010740b | |
Link: Self-sender with sender org in subject and credential theft indicator | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-self-sender-with-sender-org-in-subject-and-credential-theft-indicator-bfa9aa08 | |
Link: SharePoint OneNote or PDF link with self sender behavior | Sublime Security | 9d ago Feb 27th, 2026 | /feeds/core/detection-rules/link-sharepoint-onenote-or-pdf-link-with-self-sender-behavior-588e7203 | |
Link: Suspicious SharePoint document name | Sublime Security | 23d ago Feb 13th, 2026 | /feeds/core/detection-rules/link-suspicious-sharepoint-document-name-f95fee6e | |
Link: Uncommon SharePoint document type with sender's display name | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2 | |
Link: URL scheme obfuscation via split HTML anchors | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-url-scheme-obfuscation-via-split-html-anchors-10375948 | |
Link: Zoho form link from unsolicited sender | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-zoho-form-link-from-unsolicited-sender-eb04a9f2 | |
Microsoft device code phishing | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/microsoft-device-code-phishing-61f3ae67 | |
Open redirect (go2.aspx) leading to Microsoft credential phishing | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-go2aspx-leading-to-microsoft-credential-phishing-51667096 | |
Open Redirect: Google domain with /url path and suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74 | |
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag | Sublime Security | 2mo ago Dec 10th, 2025 | /feeds/core/detection-rules/outlook-hyperlink-bypass-left-to-right-mark-lrm-in-base-html-tag-160cc681 | |
PayPal invoice abuse | Sublime Security | 25d ago Feb 11th, 2026 | /feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4 | |
Potential prompt injection attack in body HTML | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/potential-prompt-injection-attack-in-body-html-5fb24736 | |
QR Code with suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/qr-code-with-suspicious-indicators-04f5c34f | |
Reconnaissance: All recipients cc/bcc'd or undisclosed | Sublime Security | 1mo ago Feb 5th, 2026 | /feeds/core/detection-rules/reconnaissance-all-recipients-ccbccd-or-undisclosed-420f60d3 | |
Reconnaissance: Empty message from uncommon sender | Sublime Security | 11d ago Feb 25th, 2026 | /feeds/core/detection-rules/reconnaissance-empty-message-from-uncommon-sender-b347cdbc | |
Self-sent fake PDF attachment with misleading link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/self-sent-fake-pdf-attachment-with-misleading-link-8a285d2e | |
Service abuse: Adobe Creative Cloud share from an unsolicited sender address | Sublime Security | 4mo ago Oct 22nd, 2025 | /feeds/core/detection-rules/service-abuse-adobe-creative-cloud-share-from-an-unsolicited-sender-address-47e42ca1 | |
Service abuse: Apple TestFlight with suspicious developer reference | Sublime Security | 30d ago Feb 6th, 2026 | /feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0 | |
Service abuse: Google classroom solicitation | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-google-classroom-solicitation-e9c39e92 | |
Service abuse: HelloSign from an unsolicited sender address | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/service-abuse-hellosign-from-an-unsolicited-sender-address-68ca0753 | |
Service Abuse: HelloSign share with suspicious sender or document name | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-hellosign-share-with-suspicious-sender-or-document-name-464d98f3 |