Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Attachment: Archive with pdf, txt and wsf files | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239 | |
Attachment: Callback phishing solicitation via pdf file | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Compensation review lure with QR code | Sublime Security | 2mo ago Dec 10th, 2025 | /feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c | |
Attachment: Decoy PDF author (Julie P.) | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a | |
Attachment: DocuSign impersonation via PDF linking to new domain | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282 | |
Attachment: Encrypted PDF with credential theft body | Sublime Security | 2mo ago Dec 1st, 2025 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Fake scan-to-email | Sublime Security | 4mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake voicemail via PDF | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fictitious invoice using LinkedIn's address | Sublime Security | 5mo ago Sep 3rd, 2025 | /feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f | |
Attachment: Invoice and W-9 PDFs with suspicious creators | Sublime Security | 22d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32 | |
Attachment: Legal themed message or PDF with suspicious indicators | Sublime Security | 7d ago Feb 5th, 2026 | /feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: Password-protected PDF with fake document indicators | Sublime Security | 22d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 | |
Attachment: PDF contains W9 or invoice YARA signatures | Sublime Security | 8d ago Feb 4th, 2026 | /feeds/core/detection-rules/attachment-pdf-contains-w9-or-invoice-yara-signatures-9a8e8a98 | |
Attachment: PDF file with link to fake Bitcoin exchange | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF generated with wkhtmltopdf tool and default title | Sublime Security | 1mo ago Dec 19th, 2025 | /feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with link to DMG file download | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with Microsoft Purview message impersonation | Sublime Security | 3mo ago Nov 10th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964 | |
Attachment: PDF with personal Microsoft OneNote URL | Sublime Security | 2mo ago Dec 4th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-personal-microsoft-onenote-url-0675bbc5 | |
Attachment: PDF with recipient email in link | Sublime Security | 22d ago Jan 21st, 2026 | /feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f | |
Attachment: PDF with suspicious HeadlessChrome metadata | Sublime Security | 1mo ago Jan 8th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-headlesschrome-metadata-eda99b1d | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: QR code link with base64-encoded recipient address | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with userinfo portion | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 2y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: Self-sender PDF with minimal content and view prompt | Sublime Security | 4h ago Feb 12th, 2026 | /feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c | |
Attachment: Soda PDF producer with encryption themes | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4 | |
Attachment: Suspicious employee policy update document lure | Sublime Security | 1mo ago Dec 26th, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment: Suspicious PDF created with headless browser | Sublime Security | 4mo ago Sep 17th, 2025 | /feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7 | |
Attachment: USDA bid invitation impersonation | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
Brand impersonation: Adobe (QR code) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d | |
Brand impersonation: DocuSign PDF attachment with suspicious link | Sublime Security | 3mo ago Oct 22nd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand impersonation: DocuSign (QR code) | Sublime Security | 4mo ago Oct 15th, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-qr-code-0b16c28a | |
Brand Impersonation: Google (QR Code) | Sublime Security | 3mo ago Oct 17th, 2025 | /feeds/core/detection-rules/brand-impersonation-google-qr-code-7ffd184c | |
Brand impersonation: Microsoft (QR code) | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a | |
Brand impersonation: SharePoint PDF attachment with credential theft language | Sublime Security | 3mo ago Nov 7th, 2025 | /feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa | |
Callback phishing: Social Security Administration fraud | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Credential phishing: Tax form impersonation with payment request | Sublime Security | 5mo ago Sep 10th, 2025 | /feeds/core/detection-rules/credential-phishing-tax-form-impersonation-with-payment-request-717695cf | |
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender | Sublime Security | 1y ago Feb 3rd, 2025 | /feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213 | |
Link: PDF filename impersonation with credential theft language | Sublime Security | 5h ago Feb 12th, 2026 | /feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513 | |
Link: Uncommon SharePoint document type with sender's display name | Sublime Security | 6mo ago Aug 5th, 2025 | /feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2 | |
PDF attachment with Google (AE) redirecting to a php or zip file | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/pdf-attachment-with-google-ae-redirecting-to-a-php-or-zip-file-57ae513f | |
Sharepoint link likely unrelated to sender | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
Spam: Unsolicited malformed PDF | Sublime Security | 7mo ago Jul 16th, 2025 | /feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031 | |
Stripe invoice abuse | Sublime Security | 1mo ago Jan 12th, 2026 | /feeds/core/detection-rules/stripe-invoice-abuse-90162d16 |