EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: PDF with suspicious language and redirect to suspicious file type

Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.

T1566.001T1204.002T1486T1566T1566.002+3
Sublimehigh

Attachment: PDF with suspicious link and action-oriented language

Detects PDF attachments containing a single link that leads to pages with language prompting users to view, review, or read documents, accounts, or business-related content such as bids, proposals, agreements, or contracts.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: PDF with suspicious view document characteristics

PDF attachment contains suspicious characteristics commonly associated with document viewing lures, as detected by YARA pattern matching.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: PDF with W-9 form indicators

Detects inbound messages containing PDF attachments that match structural or signature patterns consistent with specific W-9 tax lure activity sets.

T1566.002T1534T1656T1566T1598+1
Sublimehigh

Attachment: Potential sandbox evasion in Office file

Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks. Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.

T1566.001T1204.002T1486T1036T1027+1
Sublimehigh

Attachment: PowerPoint with suspicious hyperlink

Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.

T1566.001T1204.002T1486T1036T1027+1
Sublimehigh

Attachment: PowerShell content

Recursively scans files and archives to detect PowerShell content. While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.

T1566.001T1204.002T1486T1059
Sublimehigh

Attachment: Python generated PDF with link

The PDF attachment was created with a Python-based script and contains one or more links. These techniques were used by PikaBot, among others.

T1036T1027
Sublimemedium

Attachment: QR code link with base64-encoded recipient address

Detects when an image or macro attachment contains QR codes that, when scanned, lead to URLs containing the recipient's email address. This tactic is used to uniquely track or target specific recipients and serve tailored credential phishing pages.

T1566T1566.001T1566.002T1598T1036+3
Sublimehigh

Attachment: QR code with credential phishing indicators

Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.

T1566T1566.001T1566.002T1598
Sublimemedium

Attachment: QR code with encoded recipient targeting and redirect indicators

Detects QR codes in attachments that contain the recipient's email address (either plaintext or base64 encoded) and redirect through suspicious URI structures commonly associated with Kratos/SneakyLog redirection services.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: QR code with recipient targeting and special characters

Detects messages with QR code in attachments containing special characters in the path that include the recipient's email address in either the URL path or fragment, potentially encoded in base64. The URLs have a simple path structure and may end with suspicious patterns.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: QR code with suspicious URL patterns in EML file

Detects EML attachments containing QR codes that link to URLs with suspicious patterns, including specific alphanumeric combinations in subdomains and paths, or special characters followed by encoded terminators. These patterns are commonly used to evade detection in credential theft attacks.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: QR code with userinfo portion

Detects inbound messages that contain image or document attachments with QR codes containing embedded usernames, passwords, or excessively padded URLs. This technique is used to bypass traditional text-based detection methods.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimehigh

Attachment: RDP connection file

Recursively scans files and archives to detect RDP connection files. Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.

T1566.001T1204.002T1486T1566T1566.002+1
Sublimemedium

Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: RFP/RFQ impersonating government entities

Attached RFP/RFQ impersonates a U.S. government department or entity to commit fraudulent transactions.

T1566.002T1534T1656T1598.003T1566+1
Sublimehigh

Attachment: Romance scam with image lure and advance-fee or suspicious link indicators

Detects inbound messages that are not replies, forwards, or mailing list communications, and contain image attachments (JPG or PNG) alongside body text classified as romantic or sexually explicit in nature. The messages either include links to known redirector or free hosting domains (such as geno.link or sites.google.com), or exhibit advance-fee fraud intent while routing replies to a free email provider despite originating from a corporate-looking sender domain. Senders observed span spoofed government and business addresses as well as free webmail accounts, with subject lines using romantic or personal connection lures.

T1566.002T1534T1656T1566T1598
Sublimemedium

Attachment: RTF file with suspicious link

This rule detects RTF attachments directly attached or within an archive, containing an external link to a suspicious low reputation domain.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: RTF with embedded content

RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: Self-sender PDF with minimal content and view prompt

Detects messages where the sender and recipient are the same address with a PDF attachment containing only 'VIEW PDF' text and a standardized body message requesting to view the attachment.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimehigh

Attachment: SFX archive containing commands

Attachment is an SFX archive that contains commands that will execute when opened. This can be used to run malicious commands, and has been observed in the wild.

T1566.001T1204.002T1486T1036T1027+1
Sublimemedium

Attachment: Small text file with link containing recipient email address

Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: Soda PDF producer with encryption themes

Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.

T1566T1566.001T1566.002T1598
Sublimehigh
PreviousPage 10 of 49Next