EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: Suspicious employee policy update document lure

Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: Suspicious PDF created with headless browser

Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: Suspicious VBA macro

Detects any VBA macro attachment that scores above a low confidence threshold in the Sublime Macro Classifier.

Sublime

Attachment: SVG file execution

Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.

T1566.001T1204.002T1486T1059
Sublimehigh

Attachment: SVG file with HTML entity encoded href attributes

Detects SVG file attachments containing href attributes with three or more consecutive HTML numeric entity references, a technique used to obfuscate malicious URLs and evade security scanning.

T1566.001T1204.002T1486T1566T1566.002+3
Sublimemedium

Attachment: SVG file with hyperlinks and cursor styling

Detects inbound messages containing SVG attachments that include clickable hyperlink elements and CSS pointer cursor styling, which may be used to deceive recipients into clicking malicious links disguised as legitimate images.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: SVG files with evasion elements

This rule identifies incoming SVG vector graphics files containing specific patterns: circle elements combined with either embedded images, hyperlinks, QR codes, or filenames that match recipient information. Limited to three attachments. SVG circle elements have been used to obfuscate QR codes and bypass automated QR code scanning methods.

T1566.001T1204.002T1486T1566T1566.002+3
Sublimehigh

Attachment: TAR file with RAR type

Detects messages with TAR file extensions that are actually RAR file types. This mismatch between file extension and actual file type may indicate an evasion technique.

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: Uncommon compressed file

Use if passing compressed or archive files is not typical behavior in your organization. This behavior has been observed in a number of phishing campaigns.

T1566.001T1204.002T1486T1566T1566.002+1
Sublimelow

Attachment: USDA bid invitation impersonation

Detects messages claiming to be from USDA containing bid invitations with macro-enabled attachments or PDFs. Validates USDA-related content through OCR and natural language analysis.

T1566.002T1534T1656T1598.003T1204.002+3
Sublimemedium

Attachment: Web files with suspicious comments

Detects HTML or SVG files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within code comments.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimehigh

Attachment: WinRAR CVE-2025-8088 exploitation

Detects attempts to exploit CVE-2025-8088 via attached RAR files

T1566.001T1204.002T1486T1190T1203+2
Sublimehigh

Attachment: XLSX file with suspicious print titles metadata

Detects XLSX attachments containing EXIF metadata with suspicious TitlesOfParts fields that follow a specific pattern combining 'Company_Name' with extracted values and 'Print_Titles', potentially indicating malicious document preparation.

T1566T1566.001T1566.002T1598T1036+3
Sublimehigh

Attachment: Zip exploiting CVE-2023-38831 (unsolicited)

A Zip attachment that exhibits attributes required to exploit CVE-2023-38831, a vulnerability in WinRAR (prior to 6.23).

Sublimecritical

Attachment: ZIP file with CVE-2026-0866 exploit

Detects ZIP attachments containing exploits targeting CVE-2026-0866 vulnerability through YARA signature matching.

T1566.001T1204.002T1486T1190T1203+2
Sublimemedium

BEC with unusual reply-to or return-path mismatch

Detects an unusual header mismatch where the sender is not a freemail address, but the reply-to or return-path are. NLU also detects a BEC intent with medium or high confidence.

T1566.002T1534T1656T1036T1027+2
Sublimehigh

BEC: Employee impersonation with subject manipulation

Subject matches the display name of someone in your organization, and the body resembles a BEC attack.

T1566.002T1534T1656T1566T1598
Sublimehigh

BEC: Executive coaching vendor impersonation

Detects fraudulent messages impersonating leadership development coaching services. The rule identifies inbound messages referencing coaching and executive services terminology alongside financial indicators such as invoices and W-9 forms. Natural language understanding is used to confirm high-confidence financial communication intent and BEC signals.

T1566.002T1534T1656T1598.003T1566+1
Sublimemedium

BEC: Financial fraud from newly registered sender domain

Detects inbound messages from domains registered less than 30 days ago that exhibit business email compromise intent with high-confidence financial or payment topics. The message must also contain explicit banking details such as account and routing numbers, invoice references, or payment urgency language, and must either fail DMARC on a trusted domain or originate from an untrusted domain.

T1566.002T1534T1656T1566T1598
Sublimemedium

BEC/Fraud: Fake investment outreach from suspicious TLD

Detects fake investment solicitation emails using "Investment into {company}" subject lines from suspicious TLDs. This campaign targets businesses with templated cold outreach purporting to represent family offices or private equity firms, using disposable domains with DGA-like characteristics.

T1566.002T1534T1656T1566T1598
Sublimemedium

BEC/Fraud: Generic scam attempt to undisclosed recipients

Detects potential generic scams by analyzing text within the email body and other suspicious signals.

T1566.002T1534T1656T1566T1598
Sublimelow

BEC/Fraud: Job scam fake thread or plaintext pivot to freemail

Detects potential job scams using plaintext or fake threads attempting to pivot to a freemail address from an unsolicited sender.

T1566.002T1534T1656
Sublimemedium

BEC/Fraud: Penpal scam

This rule detects messages from individuals looking to establish contact under the guise of seeking friendship or a penpal relationship. Over time, they build trust and then exploit this relationship by asking for money, personal information, or involvement in suspicious activities.

T1566.002T1534T1656T1566T1598
Sublimemedium

BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply

Detects suspicious reply messages with urgent language in sender name or email address, minimal body content, and the sender's email address appearing in previous thread content, indicating a self reply.

T1566.002T1534T1656T1566T1598+2
Sublimemedium
PreviousPage 11 of 49Next