Detection Method: YARA

YARA detection scans email messages, attachments, and extracted content for known malware, phishing patterns, or suspicious code. This detection method uses the YARA pattern matching language, which lets your security team create specific signatures based on known malicious patterns, both textual and binary.
YARA detection can identify:
  • Known malware families based on their distinctive code patterns
  • Obfuscated scripts or executables using encoding techniques
  • Common phishing templates with structural similarities
  • Suspicious binary patterns that may indicate malicious functionality
  • Custom threats targeting specific organizations with tailored YARA rules
Blog Post
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.
Attack Types (6):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Callback Phishing
Extortion
Spam
Tactics & Techniques (9):
Encryption
Evasion
LNK
Social engineering
HTML smuggling
Scripting
Exploit
OneNote
Macros
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link to auto-download of a suspicious file type (unsolicited)
1mo ago
Nov 18th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Attachment: HTML file with reference to recipient and suspicious patterns
1mo ago
Nov 4th, 2025
Sublime Security
Credential Phishing
HTML smuggling
Scripting
Content analysis
File analysis
HTML analysis
Javascript analysis
YARA
/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: EML with Encrypted ZIP
1mo ago
Nov 4th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-eml-with-encrypted-zip-6897a8f7
Attachment: WinRAR CVE-2025-8088 exploitation
4mo ago
Aug 12th, 2025
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b
Attachment: Malicious OneNote commands
5mo ago
Aug 5th, 2025
@Kyle_Parrish_
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Attachment: DocX embedded binary
5mo ago
Aug 5th, 2025
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
Content analysis
YARA
/feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241
Encrypted Microsoft Office files from untrusted sender
5mo ago
Aug 5th, 2025
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
Encryption
Evasion
File analysis
YARA
Sender analysis
/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Attachment with unscannable encrypted zip (unsolicited)
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Sender analysis
YARA
/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Link to auto-downloaded disk image in encrypted zip
5mo ago
Jul 16th, 2025
@ajpc500
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in encrypted zip
5mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Attachment: Malformed OLE file
2y ago
Nov 25th, 2024
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
File analysis
YARA
/feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f
Attachment: JavaScript file with suspicious base64-encoded executable
2y ago
Apr 1st, 2024
Sublime Security
Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3
Attachment: HTML smuggling with embedded base64-encoded executable
2y ago
Mar 25th, 2024
Sublime Security
Malware/Ransomware
Evasion
HTML smuggling
Archive analysis
File analysis
HTML analysis
YARA
/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527
Attachment: Archive with embedded EXE file
2y ago
Feb 27th, 2024
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86
Attachment: RTF with embedded content
2y ago
Feb 26th, 2024
@amitchell516
Malware/Ransomware
Evasion
File analysis
YARA
/feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7
Attachment: Archive contains DLL-loading macro
3y ago
Dec 28th, 2023
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment: HTML file with excessive padding and suspicious patterns
3y ago
Aug 21st, 2023
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
File analysis
HTML analysis
YARA
/feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e