Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: HTML smuggling with decimal encoding | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4 | |
Attachment: HTML smuggling with embedded base64-encoded executable | Sublime Security | 2y ago Mar 25th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527 | |
Attachment: HTML smuggling with embedded base64-encoded ISO | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-iso-294ecd2d | |
Attachment: HTML smuggling with eval and atob | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2 | |
Attachment: HTML smuggling with eval and atob via calendar invite | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd | |
Attachment: HTML smuggling with excessive line break obfuscation | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440 | |
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns | Sublime Security | 2y ago Aug 27th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d | |
Attachment: HTML smuggling with fromCharCode and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-fromcharcode-and-other-signals-a68ce0ef | |
Attachment: HTML smuggling with hex strings | @ajpc500 | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-hex-strings-b4208ed6 | |
Attachment: HTML smuggling with high entropy and other signals | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288 | |
Attachment: HTML smuggling with raw array buffer | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-raw-array-buffer-a0d5c3dc | |
Attachment: HTML smuggling with RC4 decryption | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with ROT13 | @Kyle_Parrish_ | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Attachment: HTML smuggling with setTimeout | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML smuggling with unescape | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-smuggling-with-unescape-0b0fed36 | |
Attachment: HTML with emoji-to-character map | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086 | |
Attachment: HTML with hidden body | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781 | |
Attachment: HTML with JavaScript functions for HTTP requests | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd | |
Attachment: ICS calendar with embedded file from internal sender with SPF failure | Sublime Security | 3mo ago Oct 22nd, 2025 | /feeds/core/detection-rules/attachment-ics-calendar-with-embedded-file-from-internal-sender-with-spf-failure-d9ce9db8 | |
Attachment: ICS file with non-Gregorian calendar scale | Sublime Security | 2mo ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-ics-file-with-non-gregorian-calendar-scale-9315bbf5 | |
Attachment: ICS with embedded document | Sublime Security | 4mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-ics-with-embedded-document-8f9957d9 | |
Attachment: JavaScript file with suspicious base64-encoded executable | Sublime Security | 2y ago Apr 1st, 2024 | /feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3 | |
Attachment: Legal themed message or PDF with suspicious indicators | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: Link file with UNC path | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-link-file-with-unc-path-3b7ee0fb | |
Attachment: Link to Doubleclick.net open redirect | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Macro files containing MHT content | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b | |
Attachment: Malformed OLE file | Sublime Security | 2y ago Nov 25th, 2024 | /feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f | |
Attachment: MSI installer file | @ajpc500 | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: Office file with suspicious function calls or downloaded file path | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969 | |
Attachment: OLE external relationship containing file scheme link to executable filetype | Sublime Security | 2mo ago Nov 24th, 2025 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4 | |
Attachment: OLE external relationship containing file scheme link to IP address | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c | |
Attachment: Password-protected PDF with fake document indicators | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF generated with wkhtmltopdf tool and default title | Sublime Security | 1mo ago Dec 19th, 2025 | /feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8 | |
Attachment: PDF with link to DMG file download | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with suspicious HeadlessChrome metadata | Sublime Security | 15d ago Jan 8th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-headlesschrome-metadata-eda99b1d | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: Potential sandbox evasion in Office file | @ajpc500 | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681 | |
Attachment: PowerPoint with suspicious hyperlink | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1 | |
Attachment: QR code link with base64-encoded recipient address | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with recipient targeting and special characters | Sublime Security | 2d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09 | |
Attachment: QR code with userinfo portion | Sublime Security | 11d ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c | |
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender | Sublime Security | 2mo ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7 | |
Attachment: RTF file with suspicious link | Sublime Security | 6mo ago Jul 23rd, 2025 | /feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa | |
Attachment: RTF with embedded content | @amitchell516 | 2y ago Feb 26th, 2024 | /feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7 |