Detection Method: YARA

YARA detection scans email messages, attachments, and extracted content for known malware, phishing patterns, or suspicious code. This detection method uses the YARA pattern matching language, which lets your security team create specific signatures based on known malicious patterns, both textual and binary.
YARA detection can identify:
  • Known malware families based on their distinctive code patterns
  • Obfuscated scripts or executables using encoding techniques
  • Common phishing templates with structural similarities
  • Suspicious binary patterns that may indicate malicious functionality
  • Custom threats targeting specific organizations with tailored YARA rules
Blog Post
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.
Attack Types (6):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Callback Phishing
Extortion
Spam
Tactics & Techniques (12):
PDF
Social engineering
Encryption
Evasion
Impersonation: Brand
QR code
Exploit
OneNote
Scripting
HTML smuggling
LNK
Macros
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Fake PDF Invoices Yara
7d ago
Jun 16th, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
PDF
Social engineering
Content analysis
File analysis
YARA
Attachment: PDF with fake invoice using suspicious font sizing
14d ago
Jun 9th, 2026
Sublime Security
BEC/Fraud
Callback Phishing
PDF
Social engineering
File analysis
YARA
Content analysis
Attachment: Encrypted PDF With Credential Harvesting Indicators
18d ago
Jun 5th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Attachment: PDF with blurry lure image
18d ago
Jun 5th, 2026
Sublime Security
Credential Phishing
PDF
File analysis
YARA
Attachment: PDF with eCheckRun lures
18d ago
Jun 5th, 2026
Sublime Security
Credential Phishing
PDF
File analysis
YARA
Attachment: Adobe Sign lure PDF with embedded banner images
20d ago
Jun 3rd, 2026
Sublime Security
Credential Phishing
PDF
Impersonation: Brand
File analysis
YARA
Attachment with unscannable encrypted zip
1mo ago
Apr 30th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
Attachment: PDF with suspicious view document characteristics
2mo ago
Apr 23rd, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
PDF
Social engineering
Evasion
File analysis
YARA
Attachment: PDF with CVE-2026-34621 lures
2mo ago
Apr 22nd, 2026
Sublime Security
Malware/Ransomware
PDF
File analysis
YARA
Attachment: PDF with JSFck obfuscation
2mo ago
Apr 22nd, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
File analysis
YARA
Attachment: PDF With SAI Global ISO9001 Logo
2mo ago
Apr 15th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
File analysis
YARA
Attachment: PDF with split QR code
2mo ago
Apr 15th, 2026
Sublime Security
Credential Phishing
Evasion
PDF
QR code
File analysis
YARA
QR code analysis
Attachment: ZIP file with CVE-2026-0866 exploit
3mo ago
Mar 20th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Attachment: PDF contains W9 or invoice YARA signatures
3mo ago
Mar 18th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
File analysis
YARA
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
4mo ago
Jan 28th, 2026
Sublime Security
Malware/Ransomware
Evasion
File analysis
YARA
Attachment: Password-protected PDF with fake document indicators
5mo ago
Jan 21st, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
Attachment: Malicious OneNote commands
5mo ago
Jan 12th, 2026
@Kyle_Parrish_
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
Attachment: HTML file with excessive padding and suspicious patterns
5mo ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
File analysis
HTML analysis
YARA
Attachment: HTML file with reference to recipient and suspicious patterns
5mo ago
Jan 12th, 2026
Sublime Security
Credential Phishing
HTML smuggling
Scripting
Content analysis
File analysis
HTML analysis
Javascript analysis
YARA
Attachment: WinRAR CVE-2025-8088 exploitation
5mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Page 1 of 2