Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Credential phishing: Image as content, short or no body contents | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38 | |
Credential Phishing: Suspicious language, link, recipients and other indicators | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-suspicious-language-link-recipients-and-other-indicators-dcb39190 | |
Credential Phishing via Dropbox comment abuse | Sublime Security | 5mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/credential-phishing-via-dropbox-comment-abuse-744d494d | |
Credential theft: Gophish abuse with hidden tracking image | Sublime Security | 4mo ago Nov 5th, 2025 | /feeds/core/detection-rules/credential-theft-gophish-abuse-with-hidden-tracking-image-59915ceb | |
Credential theft with 'safe content' deception and social engineering topics | Sublime Security | 13d ago Feb 25th, 2026 | /feeds/core/detection-rules/credential-theft-with-safe-content-deception-and-social-engineering-topics-22ceee0d | |
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b | |
Cyrillic vowel substitution in subject or display name from unknown sender | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/cyrillic-vowel-substitution-in-subject-or-display-name-from-unknown-sender-74bc0b0c | |
Cyrillic vowel substitutions with suspicious subject from unknown sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/cyrillic-vowel-substitutions-with-suspicious-subject-from-unknown-sender-10251c3c | |
Display Name Emoji with Financial Symbols | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/display-name-emoji-with-financial-symbols-f316f335 | |
EML attachment with credential theft language (unknown sender) | Sublime Security | 5mo ago Oct 3rd, 2025 | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
Encrypted Microsoft Office files from untrusted sender | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7 | |
Fake shipping notification with suspicious language | Sublime Security | 2y ago May 3rd, 2024 | /feeds/core/detection-rules/fake-shipping-notification-with-suspicious-language-67748b0a | |
Fake thread with suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-thread-with-suspicious-indicators-c2e18a57 | |
Fake warning banner using confusable characters | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/fake-warning-banner-using-confusable-characters-179ee1ff | |
Fake Zoho Sign template abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-zoho-sign-template-abuse-785fd0d5 | |
Fake Zoom meeting invite with suspicious link | Sublime Security | 3mo ago Dec 1st, 2025 | /feeds/core/detection-rules/fake-zoom-meeting-invite-with-suspicious-link-aba95f23 | |
Generic service abuse from newly registered domain | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5 | |
Google Drive direct download link from unsolicited sender | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/google-drive-direct-download-link-from-unsolicited-sender-78a19343 | |
Google presentation open redirect phishing | Sublime Security | 2mo ago Dec 11th, 2025 | /feeds/core/detection-rules/google-presentation-open-redirect-phishing-5d01ee3a | |
Google services using g.co shortlinks | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/google-services-using-gco-shortlinks-09ff8a73 | |
Hardbacon infrastructure abuse | Sublime Security | 2y ago Dec 20th, 2024 | /feeds/core/detection-rules/hardbacon-infrastructure-abuse-5330db42 | |
Headers: Fake in-reply-to with wildcard sender and missing thread context | Sublime Security | 1mo ago Jan 23rd, 2026 | /feeds/core/detection-rules/headers-fake-in-reply-to-with-wildcard-sender-and-missing-thread-context-89da670a | |
Headers: Invalid recipient domain with mismatched reply-to from new sender | Sublime Security | 3mo ago Nov 21st, 2025 | /feeds/core/detection-rules/headers-invalid-recipient-domain-with-mismatched-reply-to-from-new-sender-f375ded1 | |
Headers: iOS/iPadOS mailer with invalid build number | Sublime Security | 3y ago Aug 17th, 2023 | /feeds/core/detection-rules/headers-iosipados-mailer-with-invalid-build-number-e0b74072 | |
Headers: Outlook Express mailer | Sublime Security | 4mo ago Nov 6th, 2025 | /feeds/core/detection-rules/headers-outlook-express-mailer-b7a698de | |
Headers: risky-recover-production message ID | Sublime Security | 12d ago Feb 26th, 2026 | /feeds/core/detection-rules/headers-risky-recover-production-message-id-4cc0b5dc | |
HR impersonation via e-sign agreement comment | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f | |
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation | Sublime Security | 4mo ago Oct 17th, 2025 | /feeds/core/detection-rules/html-bidirectional-bidi-html-override-with-right-to-left-obfuscation-f93940d2 | |
HTML smuggling containing recipient email address | Sublime Security | 4mo ago Nov 4th, 2025 | /feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f | |
Image as content with a link to an open redirect (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b | |
Impersonation: SharePoint reply header anomaly | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-sharepoint-reply-header-anomaly-78875848 | |
Impersonation: Suspected supplier impersonation with suspicious content | Sublime Security | 1y ago Feb 3rd, 2025 | /feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce | |
Inbound message from popular service via newly observed distribution list | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/inbound-message-from-popular-service-via-newly-observed-distribution-list-8f4bc148 | |
Inline image as message with attachment or link | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/inline-image-as-message-with-attachment-or-link-823d7107 | |
Issuu document with suspicious embedded link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d | |
Link: 9WOLF phishkit initial landing URI | Sublime Security | 1mo ago Jan 30th, 2026 | /feeds/core/detection-rules/link-9wolf-phishkit-initial-landing-uri-a165e206 | |
Link: Abused Adobe Express | Sublime Security | 7mo ago Jul 23rd, 2025 | /feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd | |
Link: Adobe share from unsolicited sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-adobe-share-from-unsolicited-sender-8e29ab33 | |
Link: Adobe share with suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-adobe-share-with-suspicious-indicators-b33cae80 | |
Link: Apple App Store malicious ad manager themed apps from free email provider | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-apple-app-store-malicious-ad-manager-themed-apps-from-free-email-provider-9ce402c6 | |
Link: Apple TestFlight from free email provider | Sublime Security | 4mo ago Oct 17th, 2025 | /feeds/core/detection-rules/link-apple-testflight-from-free-email-provider-9b447f1f | |
Link: Base64 encoded recipient address in URL fragment with hex subdomain | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-hex-subdomain-781e86ae | |
Link: Base64 encoded recipient address in URL fragment with subject hash | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8 | |
Link: Common hidden directory observed | Sublime Security | 1mo ago Feb 3rd, 2026 | /feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6 | |
Link: Credential phishing link with undisclosed recipients | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-credential-phishing-link-with-undisclosed-recipients-06fc155e | |
Link: Credential theft with invisible Unicode character in page title from unsolicited sender | Sublime Security | 25d ago Feb 13th, 2026 | /feeds/core/detection-rules/link-credential-theft-with-invisible-unicode-character-in-page-title-from-unsolicited-sender-5fe14d53 | |
Link: Cryptocurrency fraud with suspicious links | Sublime Security | 3mo ago Dec 1st, 2025 | /feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce | |
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability | Sublime Security | 2y ago Feb 15th, 2024 | /feeds/core/detection-rules/link-cve-2024-21413-microsoft-outlook-remote-code-execution-vulnerability-e8151426 | |
Link: Direct download of executable file | Sublime Security | 8d ago Mar 2nd, 2026 | /feeds/core/detection-rules/link-direct-download-of-executable-file-dbbfd077 | |
Link: Direct link to gamma.app document with mode parameter | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-direct-link-to-gammaapp-document-with-mode-parameter-080ab581 |