Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Service abuse: Dropbox share with suspicious sender or document name | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-dropbox-share-with-suspicious-sender-or-document-name-27007c9f | |
Service Abuse: ExactTarget with suspicious sender indicators | Sublime Security | 4mo ago Nov 8th, 2025 | /feeds/core/detection-rules/service-abuse-exacttarget-with-suspicious-sender-indicators-6154f197 | |
Service abuse: FlipHTML5 with attachment deception and credential theft language | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-fliphtml5-with-attachment-deception-and-credential-theft-language-02464799 | |
Service abuse: Free provider with SendGrid routing | Sublime Security | 2mo ago Jan 8th, 2026 | /feeds/core/detection-rules/service-abuse-free-provider-with-sendgrid-routing-3079cacb | |
Service Abuse: GoDaddy infrastructure | Sublime Security | 2mo ago Jan 7th, 2026 | /feeds/core/detection-rules/service-abuse-godaddy-infrastructure-8a2dd357 | |
Service abuse: Google application integration redirecting to suspicious hosts | Sublime Security | 2mo ago Dec 17th, 2025 | /feeds/core/detection-rules/service-abuse-google-application-integration-redirecting-to-suspicious-hosts-473d3247 | |
Service abuse: HelloSign from an unsolicited sender address | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/service-abuse-hellosign-from-an-unsolicited-sender-address-68ca0753 | |
Service Abuse: HelloSign share with suspicious sender or document name | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-hellosign-share-with-suspicious-sender-or-document-name-464d98f3 | |
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail | Sublime Security | 6d ago Mar 4th, 2026 | /feeds/core/detection-rules/service-abuse-hungerrush-domain-with-sendgrid-tracking-targeting-protonmail-73f62e74 | |
Service abuse: Monday.com infrastructure with phishing intent | Sublime Security | 20h ago Mar 9th, 2026 | /feeds/core/detection-rules/service-abuse-mondaycom-infrastructure-with-phishing-intent-a346e3b1 | |
Service abuse: Nylas tracking subdomain with suspicious content | Sublime Security | 4d ago Mar 6th, 2026 | /feeds/core/detection-rules/service-abuse-nylas-tracking-subdomain-with-suspicious-content-a3a6c896 | |
Service abuse: Payoneer callback scam | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-payoneer-callback-scam-b7fb174c | |
Service abuse: QuickBooks notification from new domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-quickbooks-notification-from-new-domain-c4f46473 | |
Service abuse: QuickBooks notification with suspicious comments | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-quickbooks-notification-with-suspicious-comments-a23d0950 | |
Service abuse: SendGrid-formatted link with actor-controlled fragment | Sublime Security | 3mo ago Nov 24th, 2025 | /feeds/core/detection-rules/service-abuse-sendgrid-formatted-link-with-actor-controlled-fragment-cb511fe9 | |
Service abuse: SurveyMonkey survey from newly registered domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-surveymonkey-survey-from-newly-registered-domain-50a85fa7 | |
Service abuse: Suspicious Zoom Docs link | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/service-abuse-suspicious-zoom-docs-link-064b2594 | |
Service abuse: Task management message sent via SendGrid | Sublime Security | 5mo ago Oct 6th, 2025 | /feeds/core/detection-rules/service-abuse-task-management-message-sent-via-sendgrid-568a63f5 | |
Service abuse: Wix redirect through bulk mailer domains | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/service-abuse-wix-redirect-through-bulk-mailer-domains-60af216d | |
Sharepoint file share with suspicious recipients pattern | Sublime Security | 2y ago Mar 27th, 2024 | /feeds/core/detection-rules/sharepoint-file-share-with-suspicious-recipients-pattern-998a0826 | |
Sharepoint online with external recipients and external display name | @vector_sec | 3y ago Aug 17th, 2023 | /feeds/core/detection-rules/sharepoint-online-with-external-recipients-and-external-display-name-5579bb4b | |
Shopify infrastructure abuse | Sublime Security | 2y ago Nov 13th, 2024 | /feeds/core/detection-rules/shopify-infrastructure-abuse-844ff164 | |
Spam: BlackBaud infrastructure abuse | Sublime Security | 2y ago Jan 17th, 2024 | /feeds/core/detection-rules/spam-blackbaud-infrastructure-abuse-3db46591 | |
Spam: Fake photo share | Sublime Security | 4mo ago Nov 8th, 2025 | /feeds/core/detection-rules/spam-fake-photo-share-eb086f7d | |
Spam: Firebase password reset from suspicious sender | Sublime Security | 3mo ago Dec 2nd, 2025 | /feeds/core/detection-rules/spam-firebase-password-reset-from-suspicious-sender-a2f673a9 | |
Spam/fraud: Predatory journal/research paper request | Sublime Security | 4mo ago Nov 3rd, 2025 | /feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b | |
Spam: Sendersrv.com with financial communications and unsubscribe language | Sublime Security | 14d ago Feb 24th, 2026 | /feeds/core/detection-rules/spam-sendersrvcom-with-financial-communications-and-unsubscribe-language-69570820 | |
Spam: Unsolicited malformed PDF | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031 | |
Subject and sender display name contains matching long alphanumeric string | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/subject-and-sender-display-name-contains-matching-long-alphanumeric-string-a8a0c831 | |
Subject: Suspicious bracketed reference | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/subject-suspicious-bracketed-reference-663dbce4 | |
Suspected cross-site scripting (XSS) found in subject | Sublime Security | 6mo ago Sep 4th, 2025 | /feeds/core/detection-rules/suspected-cross-site-scripting-xss-found-in-subject-8a946cfa | |
Suspected lookalike domain with suspicious language | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0 | |
Suspicious attachment: Duplicate decoy PDF files | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7 | |
Suspicious attachment with unscannable Cloudflare link | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f | |
Suspicious DocuSign share from new domain | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/suspicious-docusign-share-from-new-domain-d430a1f3 | |
Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-link-to-looker-studio-lookerstudiogooglecom-from-a-new-and-unsolicited-sender-dbb50cb4 | |
Suspicious message with unscannable Vercel link | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/suspicious-message-with-unscannable-vercel-link-b5acffe7 | |
Suspicious recipients pattern with NLU credential theft indicators | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-recipients-pattern-with-nlu-credential-theft-indicators-8e121c3e | |
Suspicious sender display name with long procedurally generated text blob | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/suspicious-sender-display-name-with-long-procedurally-generated-text-blob-2a40b043 | |
Suspicious subject with long procedurally generated text blob | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/suspicious-subject-with-long-procedurally-generated-text-blob-e819593d | |
Truth Social infrastructure abuse via link redirect | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/truth-social-infrastructure-abuse-via-link-redirect-aaaa30a8 | |
Twitter infrastructure abuse via link shortener | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/twitter-infrastructure-abuse-via-link-shortener-99ca165e | |
Unicode QR code | Sublime Security | 6mo ago Aug 25th, 2025 | /feeds/core/detection-rules/unicode-qr-code-1a0bdd25 | |
Unusually long local part from untrusted sender address | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/unusually-long-local-part-from-untrusted-sender-address-91a9cd45 | |
URI protocol handler: search-ms | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/uri-protocol-handler-search-ms-ee27d9c0 | |
URL with Unicode U+2044 (⁄) or U+2215 (∕) characters | @delivr_to | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/url-with-unicode-u2044-or-u2215-characters-12069f5b | |
Vendor compromise: GovDelivery message with suspicious link | Sublime Security | 7mo ago Aug 5th, 2025 | /feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172 | |
Venmo payment request abuse | Sublime Security | 6mo ago Sep 5th, 2025 | /feeds/core/detection-rules/venmo-payment-request-abuse-4450639a | |
VIP impersonation: Fake thread with display name match, email mismatch | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28 | |
VIP Impersonation via Google Group relay with suspicious indicators | Sublime Security | 3mo ago Nov 12th, 2025 | /feeds/core/detection-rules/vip-impersonation-via-google-group-relay-with-suspicious-indicators-57f9cd3b |