Sublime Security

Sublime Core Feed
YARA
Learn More
Login to Sublime
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Detection Method: YARA
YARA detection scans email messages, attachments, and extracted content for known malware, phishing patterns, or suspicious code. This detection method uses the YARA pattern matching language, which lets your security team create specific signatures based on known malicious patterns, both textual and binary.
YARA detection can identify:
Known malware families based on their distinctive code patterns
Obfuscated scripts or executables using encoding techniques
Common phishing templates with structural similarities
Suspicious binary patterns that may indicate malicious functionality
Custom threats targeting specific organizations with tailored YARA rules
Blog Post
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.
Attack Types (6):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Callback Phishing
Extortion
Spam
Tactics & Techniques (10):
Encryption
Evasion
PDF
HTML smuggling
Scripting
Social engineering
Exploit
OneNote
LNK
Macros
Rule Name & Severity
Last Updated
Types, Tactics & Capabilities
Attachment: Password-protected PDF with fake document indicators
2d ago
Jan 21st, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
/feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440
Attachment: HTML file with reference to recipient and suspicious patterns
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
HTML smuggling
Scripting
Content analysis
File analysis
HTML analysis
Javascript analysis
YARA
Credential Phishing
HTML smuggling
Scripting
Content analysis
File analysis
HTML analysis
Javascript analysis
YARA
/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: EML with Encrypted ZIP
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-eml-with-encrypted-zip-6897a8f7
Link to auto-downloaded disk image in encrypted zip
11d ago
Jan 12th, 2026
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Attachment: WinRAR CVE-2025-8088 exploitation
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b
Attachment: Malicious OneNote commands
11d ago
Jan 12th, 2026
@Kyle_Parrish_
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Attachment: HTML file with excessive padding and suspicious patterns
11d ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
File analysis
HTML analysis
YARA
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
File analysis
HTML analysis
YARA
/feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e
Link to auto-download of a suspicious file type (unsolicited)
11d ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Encrypted Microsoft Office files from untrusted sender
5mo ago
Aug 5th, 2025
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
Encryption
Evasion
File analysis
YARA
Sender analysis
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
Encryption
Evasion
File analysis
YARA
Sender analysis
/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Attachment: DocX embedded binary
5mo ago
Aug 5th, 2025
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
Content analysis
YARA
Malware/Ransomware
Evasion
Archive analysis
Content analysis
YARA
/feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241
Link to auto-downloaded DMG in encrypted zip
6mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Attachment with unscannable encrypted zip (unsolicited)
6mo ago
Jul 16th, 2025
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Sender analysis
YARA
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Sender analysis
YARA
/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment: Malformed OLE file
2y ago
Nov 25th, 2024
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
File analysis
YARA
Credential Phishing
Malware/Ransomware
Evasion
File analysis
YARA
/feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f
Attachment: JavaScript file with suspicious base64-encoded executable
2y ago
Apr 1st, 2024
Sublime Security
Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
YARA
Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3
Attachment: HTML smuggling with embedded base64-encoded executable
2y ago
Mar 25th, 2024
Sublime Security
Malware/Ransomware
Evasion
HTML smuggling
Archive analysis
File analysis
HTML analysis
YARA
Malware/Ransomware
Evasion
HTML smuggling
Archive analysis
File analysis
HTML analysis
YARA
/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527
Attachment: Archive with embedded EXE file
2y ago
Feb 27th, 2024
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
YARA
Malware/Ransomware
Evasion
Archive analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86
Attachment: RTF with embedded content
2y ago
Feb 26th, 2024
@amitchell516
Malware/Ransomware
Evasion
File analysis
YARA
Malware/Ransomware
Evasion
File analysis
YARA
/feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7
Attachment: Archive contains DLL-loading macro
3y ago
Dec 28th, 2023
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Attachment: Password-protected PDF with fake document indicators	2d ago Jan 21st, 2026	Sublime Security	Malware/Ransomware Credential Phishing Encryption Evasion PDF File analysis YARA Exif analysis	/feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440
Attachment: HTML file with reference to recipient and suspicious patterns	11d ago Jan 12th, 2026	Sublime Security	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: EML with Encrypted ZIP	11d ago Jan 12th, 2026	Sublime Security	Malware/Ransomware Encryption Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-eml-with-encrypted-zip-6897a8f7
Link to auto-downloaded disk image in encrypted zip	11d ago Jan 12th, 2026	@ajpc500	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Attachment: WinRAR CVE-2025-8088 exploitation	11d ago Jan 12th, 2026	Sublime Security	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b
Attachment: Malicious OneNote commands	11d ago Jan 12th, 2026	@Kyle_Parrish_	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA	/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Attachment: HTML file with excessive padding and suspicious patterns	11d ago Jan 12th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Evasion HTML smuggling File analysis HTML analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e
Link to auto-download of a suspicious file type (unsolicited)	11d ago Jan 12th, 2026	Sublime Security	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Encrypted Microsoft Office files from untrusted sender	5mo ago Aug 5th, 2025	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Attachment: DocX embedded binary	5mo ago Aug 5th, 2025	Sublime Security	Malware/Ransomware Evasion Archive analysis Content analysis YARA	/feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241
Link to auto-downloaded DMG in encrypted zip	6mo ago Jul 16th, 2025	Sublime Security	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Attachment with unscannable encrypted zip (unsolicited)	6mo ago Jul 16th, 2025	Sublime Security	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment: Malformed OLE file	2y ago Nov 25th, 2024	Sublime Security	Credential Phishing Malware/Ransomware Evasion File analysis YARA	/feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f
Attachment: JavaScript file with suspicious base64-encoded executable	2y ago Apr 1st, 2024	Sublime Security	Malware/Ransomware Evasion Scripting Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3
Attachment: HTML smuggling with embedded base64-encoded executable	2y ago Mar 25th, 2024	Sublime Security	Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis HTML analysis YARA	/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527
Attachment: Archive with embedded EXE file	2y ago Feb 27th, 2024	Sublime Security	Malware/Ransomware Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86
Attachment: RTF with embedded content	2y ago Feb 26th, 2024	@amitchell516	Malware/Ransomware Evasion File analysis YARA	/feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7
Attachment: Archive contains DLL-loading macro	3y ago Dec 28th, 2023	Sublime Security	Malware/Ransomware Exploit LNK Macros Scripting Archive analysis File analysis Macro analysis YARA	/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f