Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: HTML smuggling with base64 encoded ZIP file | Sublime Security | 3mo ago Nov 20th, 2025 | /feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-zip-file-47e388de | |
Attachment: HTML smuggling with concatenation obfuscation | @vector_sec | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-concatenation-obfuscation-108ab346 | |
Attachment: HTML smuggling with decimal encoding | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4 | |
Attachment: HTML smuggling with embedded base64-encoded executable | Sublime Security | 2y ago Mar 25th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527 | |
Attachment: HTML smuggling with embedded base64-encoded ISO | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-iso-294ecd2d | |
Attachment: HTML smuggling with eval and atob | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2 | |
Attachment: HTML smuggling with eval and atob via calendar invite | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd | |
Attachment: HTML smuggling with excessive line break obfuscation | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440 | |
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns | Sublime Security | 2y ago Aug 27th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d | |
Attachment: HTML smuggling with fromCharCode and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-fromcharcode-and-other-signals-a68ce0ef | |
Attachment: HTML smuggling with hex strings | @ajpc500 | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-hex-strings-b4208ed6 | |
Attachment: HTML smuggling with high entropy and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288 | |
Attachment: HTML smuggling with raw array buffer | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-raw-array-buffer-a0d5c3dc | |
Attachment: HTML smuggling with RC4 decryption | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with ROT13 | @Kyle_Parrish_ | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Attachment: HTML smuggling with setTimeout | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML smuggling with unescape | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-unescape-0b0fed36 | |
Attachment: HTML with emoji-to-character map | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086 | |
Attachment: HTML with hidden body | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781 | |
Attachment: HTML with JavaScript functions for HTTP requests | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd | |
Attachment: ICS calendar with embedded file from internal sender with SPF failure | Sublime Security | 4mo ago Oct 22nd, 2025 | /feeds/core/detection-rules/attachment-ics-calendar-with-embedded-file-from-internal-sender-with-spf-failure-d9ce9db8 | |
Attachment: ICS file with non-Gregorian calendar scale | Sublime Security | 4mo ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-ics-file-with-non-gregorian-calendar-scale-9315bbf5 | |
Attachment: ICS with embedded document | Sublime Security | 5mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-ics-with-embedded-document-8f9957d9 | |
Attachment: ICS with embedded Javascript in SVG file | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/attachment-ics-with-embedded-javascript-in-svg-file-d5201a19 | |
Attachment: JavaScript file with suspicious base64-encoded executable | Sublime Security | 2y ago Apr 1st, 2024 | /feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3 | |
Attachment: Legal themed message or PDF with suspicious indicators | Sublime Security | 1mo ago Feb 5th, 2026 | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: Link file with UNC path | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-link-file-with-unc-path-3b7ee0fb | |
Attachment: Link to Doubleclick.net open redirect | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Macro files containing MHT content | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b | |
Attachment: Malformed OLE file | Sublime Security | 2y ago Nov 25th, 2024 | /feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f | |
Attachment: MSI installer file | @ajpc500 | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9 | |
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK | Sublime Security | 1mo ago Jan 28th, 2026 | /feeds/core/detection-rules/attachment-ms-office-or-rtf-file-with-shellexplorer1-com-object-with-embedded-lnk-53a29f61 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: Office file with suspicious function calls or downloaded file path | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969 | |
Attachment: OLE external relationship containing file scheme link to executable filetype | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4 | |
Attachment: OLE external relationship containing file scheme link to IP address | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c | |
Attachment: Password-protected PDF with fake document indicators | Sublime Security | 1mo ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF generated with wkhtmltopdf tool and default title | Sublime Security | 2mo ago Dec 19th, 2025 | /feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8 | |
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/attachment-pdf-object-hash-encrypted-pdfs-with-fake-payment-notification-a8a19bae | |
Attachment: PDF with a suspicious string and single URL | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/attachment-pdf-with-a-suspicious-string-and-single-url-3bdbb7ad | |
Attachment: PDF with link to DMG file download | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with multistage landing - ClickUp abuse | Sublime Security | 11d ago Feb 27th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-multistage-landing-clickup-abuse-0dc40316 | |
Attachment: PDF with password in filename matching body text | Sublime Security | 19d ago Feb 19th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-password-in-filename-matching-body-text-2c9c3b24 | |
Attachment: PDF with ReportLab library and default metadata | Sublime Security | 11d ago Feb 27th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-reportlab-library-and-default-metadata-7094bfdd | |
Attachment: PDF with suspicious HeadlessChrome metadata | Sublime Security | 2mo ago Jan 8th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-headlesschrome-metadata-eda99b1d |