Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Domain impersonation: Freemail reply-to local lookalike with financial request | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/domain-impersonation-freemail-reply-to-local-lookalike-with-financial-request-43026a40 | |
EML attachment with credential theft language (unknown sender) | Sublime Security | 3mo ago Oct 3rd, 2025 | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
Employee impersonation: Payroll fraud | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/employee-impersonation-payroll-fraud-2beb7d85 | |
Employee impersonation with urgent request (untrusted sender) | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/employee-impersonation-with-urgent-request-untrusted-sender-1ce9a146 | |
Extortion / sextortion in attachment from untrusted sender | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c | |
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender | Sublime Security | 11mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213 | |
Extortion / sextortion (untrusted sender) | Sublime Security | 2d ago Jan 22nd, 2026 | /feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb | |
Fake email quarantine notification | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-email-quarantine-notification-73f26a3d | |
Fake message thread - Untrusted sender with a mismatched freemail reply-to address | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-message-thread-untrusted-sender-with-a-mismatched-freemail-reply-to-address-ca64e819 | |
Fake message thread with a suspicious link and engaging language from an unknown sender | Sublime Security | 2mo ago Nov 12th, 2025 | /feeds/core/detection-rules/fake-message-thread-with-a-suspicious-link-and-engaging-language-from-an-unknown-sender-8fd0e211 | |
Fake request for tax preparation | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-request-for-tax-preparation-e36b85b3 | |
Fake scan-to-email message | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-scan-to-email-message-78851fbe | |
Fake shipping notification with link to free file hosting | Sublime Security | 2y ago Jul 10th, 2024 | /feeds/core/detection-rules/fake-shipping-notification-with-link-to-free-file-hosting-6d3fe05e | |
Fake thread with suspicious indicators | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-thread-with-suspicious-indicators-c2e18a57 | |
Fake voicemail notification (untrusted sender) | Sublime Security | 2d ago Jan 22nd, 2026 | /feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787 | |
Fake Zoho Sign template abuse | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fake-zoho-sign-template-abuse-785fd0d5 | |
Fake Zoom meeting invite with suspicious link | Sublime Security | 1mo ago Dec 1st, 2025 | /feeds/core/detection-rules/fake-zoom-meeting-invite-with-suspicious-link-aba95f23 | |
File sharing link with a suspicious subject | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/file-sharing-link-with-a-suspicious-subject-a306e2a6 | |
Fraudulent e-commerce operators | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/fraudulent-e-commerce-operators-3776a6fc | |
Fraudulent order confirmation/shipping notification from Chinese sender domain | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/fraudulent-order-confirmationshipping-notification-from-chinese-sender-domain-4392a14e | |
Free email provider sender with mismatched provider reply-to | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/free-email-provider-sender-with-mismatched-provider-reply-to-fcd831d0 | |
Free subdomain link with login or captcha (untrusted sender) | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/free-subdomain-link-with-login-or-captcha-untrusted-sender-93288f82 | |
Generic service abuse from newly registered domain | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5 | |
Google Drive direct download link from unsolicited sender | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/google-drive-direct-download-link-from-unsolicited-sender-78a19343 | |
Google Notification alert link from non-Google sender | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/google-notification-alert-link-from-non-google-sender-a1c1acfd | |
Google presentation open redirect phishing | Sublime Security | 1mo ago Dec 11th, 2025 | /feeds/core/detection-rules/google-presentation-open-redirect-phishing-5d01ee3a | |
Hardbacon infrastructure abuse | Sublime Security | 2y ago Dec 20th, 2024 | /feeds/core/detection-rules/hardbacon-infrastructure-abuse-5330db42 | |
Headers: Fake in-reply-to with wildcard sender and missing thread context | Sublime Security | 6h ago Jan 23rd, 2026 | /feeds/core/detection-rules/headers-fake-in-reply-to-with-wildcard-sender-and-missing-thread-context-89da670a | |
Headers: Invalid recipient domain with mismatched reply-to from new sender | Sublime Security | 2mo ago Nov 21st, 2025 | /feeds/core/detection-rules/headers-invalid-recipient-domain-with-mismatched-reply-to-from-new-sender-f375ded1 | |
Headers: System account impersonation with empty sender address | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/headers-system-account-impersonation-with-empty-sender-address-887f7953 | |
Honorific greeting BEC attempt with sender and reply-to mismatch | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/honorific-greeting-bec-attempt-with-sender-and-reply-to-mismatch-aa41b1b7 | |
HR impersonation via e-sign agreement comment | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f | |
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation | Sublime Security | 3mo ago Oct 17th, 2025 | /feeds/core/detection-rules/html-bidirectional-bidi-html-override-with-right-to-left-obfuscation-f93940d2 | |
Image as content with a link to an open redirect (unsolicited) | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b | |
Impersonation: Human Resources with link or attachment and engaging language | Sublime Security | 6mo ago Jul 16th, 2025 | /feeds/core/detection-rules/impersonation-human-resources-with-link-or-attachment-and-engaging-language-8c95a6a8 | |
Impersonation: Internal corporate services | Sublime Security | 4d ago Jan 20th, 2026 | /feeds/core/detection-rules/impersonation-internal-corporate-services-3cd04f33 | |
Impersonation: Salesforce fake campaign failure notification | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-salesforce-fake-campaign-failure-notification-d66000ca | |
Impersonation: SharePoint reply header anomaly | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-sharepoint-reply-header-anomaly-78875848 | |
Impersonation: Social Security Administration (SSA) | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-social-security-administration-ssa-6196767e | |
Impersonation: Suspected supplier impersonation with suspicious content | Sublime Security | 11mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce | |
Impersonation using recipient domain (untrusted sender) | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/impersonation-using-recipient-domain-untrusted-sender-63e5808a | |
Inbound message from popular service via newly observed distribution list | Sublime Security | 5mo ago Aug 5th, 2025 | /feeds/core/detection-rules/inbound-message-from-popular-service-via-newly-observed-distribution-list-8f4bc148 | |
Invoicera infrastructure abuse | Sublime Security | 2y ago Mar 7th, 2024 | /feeds/core/detection-rules/invoicera-infrastructure-abuse-1e56f310 | |
Issuu document with suspicious embedded link | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d | |
Job scam (unsolicited sender) | Sublime Security | 2mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/job-scam-unsolicited-sender-a37dc32d | |
Job scam with specific salary pattern | Sublime Security | 3d ago Jan 21st, 2026 | /feeds/core/detection-rules/job-scam-with-specific-salary-pattern-af7f9e21 | |
Link abuse: Self-service creation platform link with suspicious recipient behavior | Sublime Security | 1mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/link-abuse-self-service-creation-platform-link-with-suspicious-recipient-behavior-384ad135 | |
Link: Apple App Store malicious ad manager themed apps from free email provider | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/link-apple-app-store-malicious-ad-manager-themed-apps-from-free-email-provider-9ce402c6 | |
Link: Base64 encoded recipient address in URL fragment with subject hash | Sublime Security | 12d ago Jan 12th, 2026 | /feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8 | |
Link: Breely link masquerading as PDF | Sublime Security | 8d ago Jan 16th, 2026 | /feeds/core/detection-rules/link-breely-link-masquerading-as-pdf-4a498c21 |