- Malware/Ransomware
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Attack Type: Malware/Ransomware
Malware and Ransomware attacks are designed to infect your system through things like fake invoices, password-protected attachments, or files disguised as routine business documents. Once opened, they quietly install malicious software that can steal data, encrypt files, or open the door for more serious threats.
You might see things like macro-enabled Office documents, HTML attachments, or ZIP files that require a password. These are tricks to get around email filters and convince you to interact. Once the malware runs, it can connect to attacker-controlled servers, spread across your network, and even bring in more payloads.
Ransomware is especially damaging. It locks up your files and demands a payment—usually in cryptocurrency—to get them back. Some attackers also steal data and threaten to leak it if the ransom isn’t paid, a tactic known as double extortion. The impact can be severe, including downtime, lost data, financial loss, and reputational damage.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Tactics & Techniques (24):
Detection Methods (20):
Sender analysis
URL analysis
File analysis
Threat intelligence
Whois
Content analysis
Header analysis
Natural Language Understanding
Archive analysis
Javascript analysis
YARA
Exif analysis
Macro analysis
Optical Character Recognition
XML analysis
OLE analysis
HTML analysis
Computer Vision
URL screenshot
QR code analysis
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Link: Direct download of executable file | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/link-direct-download-of-executable-file-dbbfd077 | |
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification | 3d ago Mar 2nd, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-object-hash-encrypted-pdfs-with-fake-payment-notification-a8a19bae | |
Link: Multistage landing - ClickUp abuse | 6d ago Feb 27th, 2026 | Sublime Security | /feeds/core/detection-rules/link-multistage-landing-clickup-abuse-78a5d035 | |
Link: URL redirecting to blob URL | 9d ago Feb 24th, 2026 | Sublime Security | /feeds/core/detection-rules/link-url-redirecting-to-blob-url-1677135b | |
Link: Free file hosting with undisclosed recipients | 10d ago Feb 23rd, 2026 | Sublime Security | /feeds/core/detection-rules/link-free-file-hosting-with-undisclosed-recipients-b6281306 | |
Attachment: PDF with password in filename matching body text | 14d ago Feb 19th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-pdf-with-password-in-filename-matching-body-text-2c9c3b24 | |
Link: Direct MSI download from low reputation domain | 14d ago Feb 19th, 2026 | Sublime Security | /feeds/core/detection-rules/link-direct-msi-download-from-low-reputation-domain-1eb77537 | |
Russia return-path TLD (untrusted sender) | 20d ago Feb 13th, 2026 | Sublime Security | /feeds/core/detection-rules/russia-return-path-tld-untrusted-sender-588b3954 | |
File sharing link from suspicious sender domain | 20d ago Feb 13th, 2026 | Sublime Security | /feeds/core/detection-rules/file-sharing-link-from-suspicious-sender-domain-95f20354 | |
Attachment: Self-sender PDF with minimal content and view prompt | 21d ago Feb 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c | |
Open redirect: embluemail.com | 21d ago Feb 12th, 2026 | Sublime Security | /feeds/core/detection-rules/open-redirect-embluemailcom-48c5abd3 | |
Anthropic Magic String in HTML | 24d ago Feb 9th, 2026 | Sublime Security | /feeds/core/detection-rules/anthropic-magic-string-in-html-d860c6a8 | |
Attachment: cmd file extension | 24d ago Feb 9th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-cmd-file-extension-a902b8ed | |
New link domain (<=10d) from untrusted sender | 27d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6 | |
macOS malware: Compiled AppleScript with document double-extension | 28d ago Feb 5th, 2026 | Sublime Security | /feeds/core/detection-rules/macos-malware-compiled-applescript-with-document-double-extension-9669c169 | |
Link: 9WOLF phishkit initial landing URI | 1mo ago Jan 30th, 2026 | Sublime Security | /feeds/core/detection-rules/link-9wolf-phishkit-initial-landing-uri-a165e206 | |
Attachment: ICS with embedded Javascript in SVG file | 1mo ago Jan 29th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-ics-with-embedded-javascript-in-svg-file-d5201a19 | |
Attachment: Employment contract update with suspicious file naming | 1mo ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-employment-contract-update-with-suspicious-file-naming-8bdcd2da | |
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK | 1mo ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-ms-office-or-rtf-file-with-shellexplorer1-com-object-with-embedded-lnk-53a29f61 | |
Attachment: Password-protected PDF with fake document indicators | 1mo ago Jan 21st, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 |
Page 1 of 15