Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD | Sublime Security | 9d ago Nov 3rd, 2025 | /feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373 | |
Attachment: Archive containing HTML file with file scheme link | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-archive-containing-html-file-with-file-scheme-link-edf6d0d9 | |
Attachment: Calendar invite from recently registered domain | Sublime Security | 1mo ago Sep 25th, 2025 | /feeds/core/detection-rules/attachment-calendar-invite-from-recently-registered-domain-d801521c | |
Attachment: Callback phishing solicitation via image file | @vector_sec | 1mo ago Sep 25th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback phishing solicitation via pdf file | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Callback phishing solicitation via text-based file | Sublime Security | 1mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-ca39c83a | |
Attachment: Compensation review lure with QR code | Sublime Security | 14d ago Oct 29th, 2025 | /feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c | |
Attachment: DocuSign impersonation via PDF linking to new domain | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282 | |
Attachment: Dropbox image lure with no Dropbox domains in links | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d | |
Attachment: EML containing a base64 encoded script | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445 | |
Attachment: EML with link to credential phishing page | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: EML with SharePoint files shared from GoDaddy federated tenants | Sublime Security | 1mo ago Sep 23rd, 2025 | /feeds/core/detection-rules/attachment-eml-with-sharepoint-files-shared-from-godaddy-federated-tenants-02c1f590 | |
Attachment: EML with Sharepoint link likely unrelated to sender | Sublime Security | 1mo ago Sep 23rd, 2025 | /feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b | |
Attachment: EML with suspicious indicators | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d | |
Attachment: Encrypted PDF with credential theft body | Sublime Security | 4d ago Nov 8th, 2025 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Fake attachment image lure | Sublime Security | 1mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake scan-to-email | Sublime Security | 1mo ago Sep 22nd, 2025 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake secure message and suspicious indicators | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94 | |
Attachment: Fake Slack installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake voicemail via PDF | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fake Zoom installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: Fictitious invoice using LinkedIn's address | Sublime Security | 2mo ago Sep 3rd, 2025 | /feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f | |
Attachment: HTML smuggling Microsoft sign in | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385 | |
Attachment: HTML smuggling with embedded base64 streamed file download | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-streamed-file-download-e04de4e2 | |
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns | Sublime Security | 1y ago Aug 27th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d | |
Attachment: HTML with emoji-to-character map | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086 | |
Attachment: Legal themed message with PDF containing suspicious link | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301 | |
Attachment: Link to Doubleclick.net open redirect | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Microsoft 365 credential phishing | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with credential phishing URLs | Sublime Security | 2mo ago Sep 2nd, 2025 | /feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d | |
Attachment: Office file with document sharing and browser instruction lures | Sublime Security | 27d ago Oct 16th, 2025 | /feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b | |
Attachment: PDF file with link to fake Bitcoin exchange | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with Microsoft Purview message impersonation | Sublime Security | 2d ago Nov 10th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964 | |
Attachment: PDF with recipient email in link | Sublime Security | 1mo ago Oct 10th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f | |
Attachment: QR code link with base64-encoded recipient address | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with credential phishing indicators | Sublime Security | 2mo ago Sep 4th, 2025 | /feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1 | |
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender | Sublime Security | 8d ago Nov 4th, 2025 | /feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7 | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: Small text file with link containing recipient email address | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d | |
Attachment: Soda PDF producer with encryption themes | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4 | |
Attachment: Suspicious employee policy update document lure | Sublime Security | 14d ago Oct 29th, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment: USDA bid invitation impersonation | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
Attachment with VBA macros from employee impersonation (unsolicited) | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123 | |
BEC: Employee impersonation with subject manipulation | Sublime Security | 3mo ago Jul 16th, 2025 | /feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b | |
BEC/Fraud: Generic scam attempt to undisclosed recipients | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-recipients-5dac401f | |
BEC/Fraud: Penpal scam | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-penpal-scam-a4bdfa17 | |
BEC/Fraud: Romance scam | Sublime Security | 3mo ago Aug 5th, 2025 | /feeds/core/detection-rules/becfraud-romance-scam-0243cdaa |