- Malware/Ransomware
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Attack Type: Malware/Ransomware
Malware and Ransomware attacks are designed to infect your system through things like fake invoices, password-protected attachments, or files disguised as routine business documents. Once opened, they quietly install malicious software that can steal data, encrypt files, or open the door for more serious threats.
You might see things like macro-enabled Office documents, HTML attachments, or ZIP files that require a password. These are tricks to get around email filters and convince you to interact. Once the malware runs, it can connect to attacker-controlled servers, spread across your network, and even bring in more payloads.
Ransomware is especially damaging. It locks up your files and demands a payment—usually in cryptocurrency—to get them back. Some attackers also steal data and threaten to leak it if the ransom isn’t paid, a tactic known as double extortion. The impact can be severe, including downtime, lost data, financial loss, and reputational damage.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Tactics & Techniques (24):
Detection Methods (20):
Content analysis
File analysis
Sender analysis
URL analysis
Archive analysis
Whois
Header analysis
Threat intelligence
Javascript analysis
YARA
Exif analysis
Computer Vision
HTML analysis
QR code analysis
OLE analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
XML analysis
URL screenshot
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Attachment: Self-sender PDF with minimal content and view prompt | 5h ago Feb 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c | |
Open redirect: embluemail.com | 6h ago Feb 12th, 2026 | Sublime Security | /feeds/core/detection-rules/open-redirect-embluemailcom-48c5abd3 | |
Anthropic Magic String in HTML | 3d ago Feb 9th, 2026 | Sublime Security | /feeds/core/detection-rules/anthropic-magic-string-in-html-d860c6a8 | |
Attachment: cmd file extension | 3d ago Feb 9th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-cmd-file-extension-a902b8ed | |
New link domain (<=10d) from untrusted sender | 6d ago Feb 6th, 2026 | Sublime Security | /feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6 | |
macOS malware: Compiled AppleScript with document double-extension | 7d ago Feb 5th, 2026 | Sublime Security | /feeds/core/detection-rules/macos-malware-compiled-applescript-with-document-double-extension-9669c169 | |
Link: 9WOLF phishkit initial landing URI | 13d ago Jan 30th, 2026 | Sublime Security | /feeds/core/detection-rules/link-9wolf-phishkit-initial-landing-uri-a165e206 | |
Attachment: ICS with embedded Javascript in SVG file | 14d ago Jan 29th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-ics-with-embedded-javascript-in-svg-file-d5201a19 | |
Attachment: Employment contract update with suspicious file naming | 15d ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-employment-contract-update-with-suspicious-file-naming-8bdcd2da | |
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK | 15d ago Jan 28th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-ms-office-or-rtf-file-with-shellexplorer1-com-object-with-embedded-lnk-53a29f61 | |
Attachment: Password-protected PDF with fake document indicators | 22d ago Jan 21st, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440 | |
Link: Excessive URL rewrite encoders | 22d ago Jan 21st, 2026 | Sublime Security | /feeds/core/detection-rules/link-excessive-url-rewrite-encoders-b88e53a7 | |
Open redirect: tkqlhce.com | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/open-redirect-tkqlhcecom-44eef073 | |
Brand impersonation: Sharepoint fake file share | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/brand-impersonation-sharepoint-fake-file-share-ff8b296b | |
Link to Google Apps Script macro via comment tagging | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/link-to-google-apps-script-macro-via-comment-tagging-66fecd30 | |
Suspicious Links to Cloudflare R2 and Edge Services | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/suspicious-links-to-cloudflare-r2-and-edge-services-5dd3e5c8 | |
Attachment: Calendar file with invisible Unicode characters | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/attachment-calendar-file-with-invisible-unicode-characters-050fceac | |
Subject and sender display name contains matching long alphanumeric string | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/subject-and-sender-display-name-contains-matching-long-alphanumeric-string-a8a0c831 | |
Link: IPv4-mapped IPv6 address obfuscation | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/link-ipv4-mapped-ipv6-address-obfuscation-caacf30c | |
Open redirect: secondstreetapp.com | 1mo ago Jan 12th, 2026 | Sublime Security | /feeds/core/detection-rules/open-redirect-secondstreetappcom-6767888d |
Page 1 of 14