EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability

Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.

T1566.001T1204.002T1486T1190T1203
Sublimehigh

Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability

Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.

T1566T1566.001T1566.002T1598T1059+4
Sublimecritical

Attachment: Decoy PDF author (Julie P.)

This detection rule matches on messages containing one or more Decoy PDF attachments with metadata discovered to have been assoicated with malicious email campaigns featuring CrowdStrike, DocuSign, Human Resource and password expiration lures.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Attachment: DocuSign impersonation via PDF linking to new domain

This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Attachment: DocX embedded binary

This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: DOCX with hyperlink targeting recipient address

Detects DOCX attachments containing hyperlinks with anchor references that match recipient email addresses. This technique is commonly used to personalize malicious documents and evade detection.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: DOCX with malicious document template artifacts

Detects inbound messages containing DOCX attachments with artifacts associated with malicious document templates.

T1566T1566.001T1566.002T1598T1036+3
Sublimemedium

Attachment: Double base64-encoded zip file in HTML smuggling attachment

Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.

T1566.001T1204.002T1486T1566T1566.002+4
Sublimehigh

Attachment: Dropbox image lure with no Dropbox domains in links

Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation

Detects inbound PDF attachments between 2-3 pages where the first three lines of the header text appear nearly identical (within a Levenshtein distance of 5) on multiple pages, combined with terminology commonly found in fraudulent Request for Quotation (RFQ) documents such as procurement language, payment conditions, and preference point systems. This pattern is consistent with fabricated or manipulated procurement documents used in BEC or fraud schemes.

T1566.002T1534T1656T1566T1598
Sublimemedium

Attachment: EICAR string present

This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities. For performance reasons, this rule is limited to attachments with "eicar" in the file name.

T1566.001T1204.002T1486
Sublimelow

Attachment: Embedded Javascript in SVG file

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

T1566.001T1204.002T1486T1059
Sublimehigh

Attachment: Embedded VBScript in MHT file

MHT files can be used to run VBScript, which can run malicious code.

T1566.001T1204.002T1486T1036T1027+1
Sublimemedium

Attachment: EML containing a base64 encoded script

Attached EML contains a base64 encoded script in the message body.

T1566T1566.001T1566.002T1598T1036+2
Sublimehigh

Attachment: EML file contains HTML attachment with login portal indicators

Attached EML file contains an HTML attachment with suspicious login indicators. Known credential theft technique.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: EML file with HTML attachment (unsolicited)

Detects HTML files in EML attachments from unsolicited senders. Reduces attack surface against HTML smuggling.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: EML file with IPFS links

Attached EML uses engaging language and IPFS links were detected in the EML file. IPFS has been recently observed hosting phishing sites.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: EML with embedded Javascript in SVG file

Detects incoming messages containing EML attachments with embedded SVG files that contain malicious JavaScript code, including base64-encoded content and potentially harmful event handlers. The rule specifically watches for onload events, location redirects, error handlers, and iframe elements with base64 data URIs.

T1566T1566.001T1566.002T1598T1204.002+4
Sublimehigh

Attachment: EML with Encrypted ZIP

Detects when an EML file is attached that contains an encrypted ZIP file. The encryption can be used to bypass security scanning and deliver malicious content.

T1566.001T1204.002T1486T1027T1573+1
Sublimelow

Attachment: EML with link to credential phishing page

Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: EML with QR code redirecting to Cloudflare challenges

Detects EML attachments containing office documents, PDFs, or images with embedded QR codes that redirect to Cloudflare challenge pages, potentially used to bypass security measures.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimelow

Attachment: EML with SharePoint files shared from GoDaddy federated tenants

Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse.

T1566T1566.001T1566.002T1598T1036+2
Sublimelow

Attachment: EML with Sharepoint link likely unrelated to sender

Detects EML attachments containing SharePoint links where the subdomain differs significantly from the sender's domain, potentially indicating SharePoint impersonation or domain spoofing tactics.

T1566.002T1534T1656T1566T1566.001+4
Sublimemedium

Attachment: EML with suspicious indicators

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium
PreviousPage 3 of 49Next