Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Link to auto-download of a suspicious file type (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152 | |
Link: Tycoon2FA phishing kit (non-exhaustive) | Sublime Security | 1mo ago Jan 23rd, 2026 | /feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2 | |
Link: URL fragment with hexadecimal pattern obfuscation | Sublime Security | 1mo ago Jan 29th, 2026 | /feeds/core/detection-rules/link-url-fragment-with-hexadecimal-pattern-obfuscation-51f51aa0 | |
Link: URL redirecting to blob URL | Sublime Security | 14d ago Feb 24th, 2026 | /feeds/core/detection-rules/link-url-redirecting-to-blob-url-1677135b | |
Link: URL scheme obfuscation via split HTML anchors | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/link-url-scheme-obfuscation-via-split-html-anchors-10375948 | |
Link: URL shortener with copy-paste instructions and credential theft language | Sublime Security | 1mo ago Feb 6th, 2026 | /feeds/core/detection-rules/link-url-shortener-with-copy-paste-instructions-and-credential-theft-language-a0a2c573 | |
Low reputation link to auto-downloaded HTML file with smuggling indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6 | |
macOS malware: Compiled AppleScript with document double-extension | Sublime Security | 1mo ago Feb 5th, 2026 | /feeds/core/detection-rules/macos-malware-compiled-applescript-with-document-double-extension-9669c169 | |
Malformed URL prefix | Sublime Security | 6mo ago Sep 4th, 2025 | /feeds/core/detection-rules/malformed-url-prefix-4e659d28 | |
MalwareBazaar: Malicious attachment hash in archive (trusted reporters) | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-in-archive-trusted-reporters-9d734281 | |
Malware: Pikabot delivery via URL auto-download | Sublime Security | 2y ago Apr 25th, 2024 | /feeds/core/detection-rules/malware-pikabot-delivery-via-url-auto-download-f4be4572 | |
Message traversed multiple onmicrosoft.com tenants | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/message-traversed-multiple-onmicrosoftcom-tenants-9cf01c0d | |
Microsoft infrastructure abuse with suspicious patterns | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/microsoft-infrastructure-abuse-with-suspicious-patterns-cfe8e804 | |
Non-RFC compliant calendar files from unsolicited sender | Sublime Security | 5mo ago Oct 1st, 2025 | /feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100 | |
Notion suspicious file share | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/notion-suspicious-file-share-f7307929 | |
Open redirect: Cartoon Network | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-cartoon-network-7435e057 | |
Open redirect: giving.lluh.org | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-givinglluhorg-a2bf1099 | |
Open Redirect: Google domain with /url path and suspicious indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74 | |
Open redirect: Klaviyo | Sublime Security | 2y ago May 14th, 2024 | /feeds/core/detection-rules/open-redirect-klaviyo-ce5a370a | |
Open redirect: marketing.edinburghairport.com | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-marketingedinburghairportcom-33a47565 | |
Open redirect: next2.io | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-next2io-5085c422 | |
Open redirect: people.anuneo.com | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-peopleanuneocom-2ae83b73 | |
Open redirect: Shibboleth SSO Logout Return Parameter | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/open-redirect-shibboleth-sso-logout-return-parameter-374b7517 | |
Open redirect: slubnaglowie.pl | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-slubnaglowiepl-2ec356d0 | |
Open redirect: typedrawers.com | Sublime Security | 9mo ago May 23rd, 2025 | /feeds/core/detection-rules/open-redirect-typedrawerscom-158d9e95 | |
Open redirect: weblinkconnect.com | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/open-redirect-weblinkconnectcom-967f7a11 | |
Open redirect: Xfinity CMP Redirection to Google AMP | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/open-redirect-xfinity-cmp-redirection-to-google-amp-c0805b80 | |
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag | Sublime Security | 2mo ago Dec 10th, 2025 | /feeds/core/detection-rules/outlook-hyperlink-bypass-left-to-right-mark-lrm-in-base-html-tag-160cc681 | |
PayPal invoice abuse | Sublime Security | 27d ago Feb 11th, 2026 | /feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4 | |
PhaaS: Impact Solutions (Impact Vector Suite) | Sublime Security | 1mo ago Jan 23rd, 2026 | /feeds/core/detection-rules/phaas-impact-solutions-impact-vector-suite-4d197faf | |
Potential prompt injection attack in body HTML | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/potential-prompt-injection-attack-in-body-html-5fb24736 | |
Punycode sender domain | Sublime Security | 3y ago Aug 21st, 2023 | /feeds/core/detection-rules/punycode-sender-domain-bc3d8db5 | |
QR code to auto-download of a suspicious file type (unsolicited) | Sublime Security | 4mo ago Oct 17th, 2025 | /feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2 | |
Reconnaissance: Empty message from uncommon sender | Sublime Security | 13d ago Feb 25th, 2026 | /feeds/core/detection-rules/reconnaissance-empty-message-from-uncommon-sender-b347cdbc | |
Reconnaissance: Empty subject with mismatched reply-to from new sender | Sublime Security | 1mo ago Feb 6th, 2026 | /feeds/core/detection-rules/reconnaissance-empty-subject-with-mismatched-reply-to-from-new-sender-12f4bd45 | |
Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755 | |
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern | Sublime Security | 19h ago Mar 9th, 2026 | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329 | |
Salesforce infrastructure abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/salesforce-infrastructure-abuse-78a77c70 | |
Self-sent fake PDF attachment with misleading link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/self-sent-fake-pdf-attachment-with-misleading-link-8a285d2e | |
Sendgrid onmicrosoft.com domain phishing | @ajpc500 | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/sendgrid-onmicrosoftcom-domain-phishing-271f4ae9 | |
Service abuse: Adobe Creative Cloud share from an unsolicited sender address | Sublime Security | 4mo ago Oct 22nd, 2025 | /feeds/core/detection-rules/service-abuse-adobe-creative-cloud-share-from-an-unsolicited-sender-address-47e42ca1 | |
Service abuse: AppSheet infrastructure with suspicious indicators | Sublime Security | 5mo ago Oct 6th, 2025 | /feeds/core/detection-rules/service-abuse-appsheet-infrastructure-with-suspicious-indicators-5937646a | |
Service Abuse: Box file sharing with credential phishing intent | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-box-file-sharing-with-credential-phishing-intent-5bd0cb25 | |
Service abuse: Cisco secure email service with financial request | Sublime Security | 5mo ago Oct 1st, 2025 | /feeds/core/detection-rules/service-abuse-cisco-secure-email-service-with-financial-request-43a6daa8 | |
Service abuse: DocSend share from an unsolicited reply-to address | Sublime Security | 6d ago Mar 4th, 2026 | /feeds/core/detection-rules/service-abuse-docsend-share-from-an-unsolicited-reply-to-address-b377e64c | |
Service abuse: DocSend share from newly registered domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-docsend-share-from-newly-registered-domain-3bc152f2 | |
Service abuse: DocuSign notification with suspicious sender or document name | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/service-abuse-docusign-notification-with-suspicious-sender-or-document-name-5e4707cd | |
Service abuse: DocuSign share from an unsolicited reply-to address | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-docusign-share-from-an-unsolicited-reply-to-address-2f12d616 | |
Service abuse: Dropbox share from an unsolicited reply-to address | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/service-abuse-dropbox-share-from-an-unsolicited-reply-to-address-50a1499f | |
Service abuse: Dropbox share from new domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-dropbox-share-from-new-domain-0e664bd9 |