Detection rules › By event
Sublime-Message-attachments Event ID 7000000
Sublime MQL (364)
- Adobe branded PDF file linking to a password-protected file from untrusted sender
- Attachment soliciting user to enable macros
- Attachment with auto-executing macro (unsolicited)
- Attachment with auto-opening VBA macro (unsolicited)
- Attachment with encrypted zip (unsolicited)
- Attachment with high risk VBA macro (unsolicited)
- Attachment with macro calling executable
- Attachment with suspicious author (unsolicited)
- Attachment with unscannable encrypted zip
- Attachment with VBA macros from employee impersonation (unsolicited)
- Attachment: .csproj with suspicious commands
- Attachment: 7z Archive Containing RAR File
- Attachment: Adobe image lure in body or attachment with suspicious link
- Attachment: Adobe Sign lure PDF with embedded banner images
- Attachment: Any .sap file (unsolicited)
- Attachment: Any HTML file (unsolicited)
- Attachment: Any HTML file (untrusted sender)
- Attachment: Any HTML file within archive (unsolicited)
- Attachment: Archive containing disallowed file type
- Attachment: Archive containing HTML file with file scheme link
- Attachment: Archive contains DLL-loading macro
- Attachment: Archive with embedded CHM file
- Attachment: Archive with embedded EXE file
- Attachment: Archive with pdf, txt and wsf files
- Attachment: Base64 encoded bash command in filename
- Attachment: Calendar file with invisible Unicode characters
- Attachment: Calendar invite from recently registered domain
- Attachment: Calendar invite with Google redirect and invoice request
- Attachment: Calendar invite with suspicious link leading to an open redirect
- Attachment: Callback phishing solicitation via image file
- Attachment: Callback phishing solicitation via pdf file
- Attachment: Callback phishing solicitation via text-based file
- Attachment: Canva PDF with susupicious author metadata
- Attachment: cmd file extension
- Attachment: Cold outreach with invitation subject and not attachment
- Attachment: Compensation review lure with QR code
- Attachment: Compensation-themed DOCX with QR code credential theft
- Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
- Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
- Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
- Attachment: Decoy PDF author (Julie P.)
- Attachment: DocuSign impersonation via PDF linking to new domain
- Attachment: DocX embedded binary
- Attachment: DOCX with hyperlink targeting recipient address
- Attachment: Double base64-encoded zip file in HTML smuggling attachment
- Attachment: Dropbox image lure with no Dropbox domains in links
- Attachment: EICAR string present
- Attachment: Embedded Javascript in SVG file
- Attachment: Embedded VBScript in MHT file
- Attachment: EML containing a base64 encoded script
- Attachment: EML file contains HTML attachment with login portal indicators
- Attachment: EML file with HTML attachment (unsolicited)
- Attachment: EML file with IPFS links
- Attachment: EML with embedded Javascript in SVG file
- Attachment: EML with Encrypted ZIP
- Attachment: EML with link to credential phishing page
- Attachment: EML with SharePoint files shared from GoDaddy federated tenants
- Attachment: EML with Sharepoint link likely unrelated to sender
- Attachment: EML with suspicious indicators
- Attachment: Emotet heavily padded doc in zip file
- Attachment: Employment contract update with suspicious file naming
- Attachment: Encrypted Microsoft Office file (unsolicited)
- Attachment: Encrypted PDF With Credential Harvesting Indicators
- Attachment: Encrypted PDF with credential theft body
- Attachment: Encrypted ZIP containing VHDX file
- Attachment: Encrypted zip file with payment-related lure
- Attachment: Excel file with document sharing lure created by Go Excelize
- Attachment: Excel file with suspicious template identifier
- Attachment: Excel Web Query File (IQY)
- Attachment: Fake attachment image lure
- Attachment: Fake PDF Invoices Yara
- Attachment: Fake scan-to-email
- Attachment: Fake Slack installer
- Attachment: Fake voicemail via PDF
- Attachment: Fake Zoom installer
- Attachment: Fictitious invoice using LinkedIn's address
- Attachment: File execution via Javascript
- Attachment: Filename containing Unicode braille pattern blank character
- Attachment: Filename containing Unicode right-to-left override character
- Attachment: Finance themed PDF with observed phishing template
- Attachment: HTML attachment with Javascript location
- Attachment: HTML attachment with login portal indicators
- Attachment: HTML file contains exclusively Javascript
- Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
- Attachment: HTML file with excessive padding and suspicious patterns
- Attachment: HTML file with reference to recipient and suspicious patterns
- Attachment: HTML smuggling 'body onload' linking to suspicious destination
- Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
- Attachment: HTML smuggling - QR Code with suspicious links
- Attachment: HTML smuggling Microsoft sign in
- Attachment: HTML smuggling with atob and high entropy
- Attachment: HTML smuggling with atob and high entropy via calendar invite
- Attachment: HTML smuggling with auto-downloaded file
- Attachment: HTML smuggling with base64 encoded JavaScript function
- Attachment: HTML smuggling with base64 encoded ZIP file
- Attachment: HTML smuggling with concatenation obfuscation
- Attachment: HTML smuggling with decimal encoding
- Attachment: HTML smuggling with embedded base64 streamed file download
- Attachment: HTML smuggling with embedded base64-encoded executable
- Attachment: HTML smuggling with embedded base64-encoded ISO
- Attachment: HTML smuggling with eval and atob
- Attachment: HTML smuggling with eval and atob via calendar invite
- Attachment: HTML smuggling with excessive line break obfuscation
- Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
- Attachment: HTML smuggling with fromCharCode and other signals
- Attachment: HTML smuggling with hex strings
- Attachment: HTML smuggling with high entropy and other signals
- Attachment: HTML smuggling with raw array buffer
- Attachment: HTML smuggling with RC4 decryption
- Attachment: HTML smuggling with ROT13
- Attachment: HTML smuggling with setTimeout
- Attachment: HTML smuggling with unescape
- Attachment: HTML with emoji-to-character map
- Attachment: HTML with hidden body
- Attachment: HTML with JavaScript functions for HTTP requests
- Attachment: HTML with obfuscation and recipient's email in JavaScript strings
- Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
- Attachment: ICS calendar file with QR code containing recipient email address
- Attachment: ICS calendar file with recipient address in UID field
- Attachment: ICS calendar file with suspicious product identifier
- Attachment: ICS calendar with embedded file from internal sender with SPF failure
- Attachment: ICS file with AWS Lambda URL
- Attachment: ICS file with excessive custom properties
- Attachment: ICS file with links to newly registered domains
- Attachment: ICS file with meeting prefix
- Attachment: ICS file with non-Gregorian calendar scale
- Attachment: ICS with embedded document
- Attachment: ICS with embedded Javascript in SVG file
- Attachment: ICS with employee policy review lure
- Attachment: Invoice and W-9 PDFs with suspicious creators
- Attachment: JavaScript file with suspicious base64-encoded executable
- Attachment: JPEG with gd-jpeg creator and suspicious file name
- Attachment: Legal themed message or PDF with suspicious indicators
- Attachment: Link file with UNC path
- Attachment: Link to Doubleclick.net open redirect
- Attachment: LNK file
- Attachment: LNK with embedded content
- Attachment: Macro files containing MHT content
- Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
- Attachment: Malformed OLE file
- Attachment: Malicious OneNote commands
- Attachment: Microsoft 365 credential phishing
- Attachment: Microsoft impersonation via PDF with link and suspicious language
- Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
- Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
- Attachment: MS OOXML file created by Administrator with zero edit time
- Attachment: MSI installer file
- Attachment: Office document loads remote document template
- Attachment: Office document with VSTO add-in
- Attachment: Office file contains OLE relationship to credential phishing page
- Attachment: Office file with credential phishing URLs
- Attachment: Office file with document sharing and browser instruction lures
- Attachment: Office file with suspicious function calls or downloaded file path
- Attachment: OLE external relationship containing file scheme link to executable filetype
- Attachment: OLE external relationship containing file scheme link to IP address
- Attachment: Password-protected PDF with fake document indicators
- Attachment: PDF Attachment with links to workers.dev
- Attachment: PDF bid/proposal lure with credential theft indicators
- Attachment: PDF contains W9 or invoice YARA signatures
- Attachment: PDF file with link to fake Bitcoin exchange
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
- Attachment: PDF generated with wkhtmltopdf tool and default title
- Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
- Attachment: PDF Object Hash with Blue File Icon
- Attachment: PDF proposal with credential theft indicators
- Attachment: PDF with a suspicious string and single URL
- Attachment: PDF with blurry lure image
- Attachment: PDF with credential theft language and invalid reply-to domain
- Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
- Attachment: PDF with CVE-2026-34621 lures
- Attachment: PDF with eCheckRun lures
- Attachment: PDF with fake invoice using suspicious font sizing
- Attachment: PDF with JSFck obfuscation
- Attachment: PDF with link to DMG file download
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with Microsoft Purview message impersonation
- Attachment: PDF with multistage landing - ClickUp abuse
- Attachment: PDF with password in filename matching body text
- Attachment: PDF with personal Microsoft OneNote URL
- Attachment: PDF with QR code containing recipient-specific credential theft content
- Attachment: PDF with recipient email in link
- Attachment: PDF With SAI Global ISO9001 Logo
- Attachment: PDF with self-service platform links with self sender or blank recipients
- Attachment: PDF with specific author metadata
- Attachment: PDF with split QR code
- Attachment: PDF with suspicious HeadlessChrome metadata
- Attachment: PDF with suspicious language and redirect to suspicious file type
- Attachment: PDF with suspicious link and action-oriented language
- Attachment: PDF with suspicious view document characteristics
- Attachment: Potential sandbox evasion in Office file
- Attachment: PowerPoint with suspicious hyperlink
- Attachment: PowerShell content
- Attachment: QR code link with base64-encoded recipient address
- Attachment: QR code with credential phishing indicators
- Attachment: QR code with encoded recipient targeting and redirect indicators
- Attachment: QR code with recipient targeting and special characters
- Attachment: QR code with userinfo portion
- Attachment: RDP connection file
- Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
- Attachment: RFP/RFQ impersonating government entities
- Attachment: RTF file with suspicious link
- Attachment: RTF with embedded content
- Attachment: Self-sender PDF with minimal content and view prompt
- Attachment: SFX archive containing commands
- Attachment: Small text file with link containing recipient email address
- Attachment: Soda PDF producer with encryption themes
- Attachment: Suspicious employee policy update document lure
- Attachment: Suspicious PDF created with headless browser
- Attachment: SVG file execution
- Attachment: SVG file with HTML entity encoded href attributes
- Attachment: SVG file with hyperlinks and cursor styling
- Attachment: SVG files with evasion elements
- Attachment: TAR file with RAR type
- Attachment: Uncommon compressed file
- Attachment: USDA bid invitation impersonation
- Attachment: Web files with suspicious comments
- Attachment: WinRAR CVE-2025-8088 exploitation
- Attachment: XLSX file with suspicious print titles metadata
- Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
- Attachment: ZIP file with CVE-2026-0866 exploit
- BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
- Benefits enrollment impersonation
- Brand impersonation: Adobe (QR code)
- Brand impersonation: Adobe Acrobat Sign PDF phishing file format template
- Brand impersonation: Adobe Sign with suspicious indicators
- Brand impersonation: Adobe with suspicious language and link
- Brand impersonation: Amazon with suspicious attachment
- Brand impersonation: Capital One
- Brand impersonation: Chase bank with credential phishing indicators
- Brand impersonation: Coinbase with suspicious links
- Brand impersonation: Discord notification
- Brand impersonation: DocuSign
- Brand impersonation: DocuSign (QR code)
- Brand impersonation: DocuSign branded attachment lure with no DocuSign links
- Brand impersonation: DocuSign PDF attachment with suspicious link
- Brand impersonation: Dropbox
- Brand impersonation: Fake Fax
- Brand Impersonation: Google (QR Code)
- Brand impersonation: Google Drive fake file share
- Brand impersonation: Google fake sign-in warning
- Brand impersonation: Microsoft
- Brand impersonation: Microsoft (QR code)
- Brand impersonation: Microsoft fake sign-in alert
- Brand impersonation: Microsoft logo or suspicious language with open redirect
- Brand impersonation: Microsoft Planner with suspicious link
- Brand impersonation: Microsoft quarantine release notification in body
- Brand impersonation: Microsoft quarantine release notification in image attachment
- Brand impersonation: Microsoft Teams
- Brand impersonation: Microsoft with embedded logo and credential theft language
- Brand impersonation: Microsoft with low reputation links
- Brand impersonation: Norton
- Brand Impersonation: PayPal
- Brand Impersonation: Procore
- Brand impersonation: Proofpoint secure messaging without legitimate indicators
- Brand Impersonation: ShareFile
- Brand impersonation: Sharepoint
- Brand impersonation: Sharepoint fake file share
- Brand impersonation: SharePoint PDF attachment with credential theft language
- Brand Impersonation: Shein
- Brand impersonation: Social Security Administration
- Brand Impersonation: Stripe
- Brand impersonation: Wise
- Business Email Compromise (BEC) attempt from untrusted sender
- Callback phishing in body or attachment (untrusted sender)
- Callback phishing via calendar invite
- Callback phishing via extensionless rfc822 attachment
- Callback phishing via Google Group abuse
- Callback phishing via Google Meet
- Callback phishing via Intuit service abuse
- Callback phishing via Zoho service abuse
- Callback phishing: AOL senders with suspicious HTML template or PDF attachment
- Callback phishing: Social Security Administration fraud
- ClickFunnels link infrastructure abuse
- Commonly abused sender TLD with engaging language
- Compensation review with QR code in attached EML
- Constant Contact link infrastructure abuse
- Credential phishing content and link (untrusted sender)
- Credential phishing language and suspicious indicators (unknown sender)
- Credential phishing link (unknown sender)
- Credential phishing: 'Secure message' and engaging language
- Credential phishing: Blue button styled link with file-sharing template artifacts
- Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
- Credential phishing: Engaging language and other indicators (untrusted sender)
- Credential phishing: Fake password expiration from new and unsolicited sender
- Credential phishing: Fake storage alerts (unsolicited)
- Credential phishing: Hyper-linked image leading to free file host
- Credential phishing: Image as content, short or no body contents
- Credential phishing: Onedrive impersonation
- Display name and subject impersonation using recipient SLD (new sender)
- Display name impersonation using recipient SLD
- DLP - PCI: American Express Credit Card Number
- DLP - PCI: Discover Credit Card Number
- DLP - PCI: Mastercard Credit Card Number
- DLP - PCI: US Credit Card Number (Any Network)
- DLP - PCI: Visa Credit Card Number
- DLP: Australia Credit Card Number
- DLP: Canada Credit Card Number
- DLP: EU Debit Card Number
- DLP: France Credit Card Number
- DLP: France Debit Card Number
- DLP: Israel Credit Card Number
- DLP: Japan Credit Card Number
- EML attachment with credential theft language (unknown sender)
- Encrypted Microsoft Office files from untrusted sender
- Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
- Extortion / sextortion in attachment from untrusted sender
- Fake thread with suspicious indicators
- Fake voicemail notification (untrusted sender)
- HTML smuggling containing recipient email address
- Image as content with a link to an open redirect
- Impersonation: Human Resources with link or attachment and engaging language
- Impersonation: Internal corporate services
- Impersonation: Recipient organization in sender display name with credential theft image
- Impersonation: SharePoint reply header anomaly
- Inline image as message with attachment or link
- Link: Direct POWR.io Form Builder with suspicious patterns
- Link: File sharing pretext with suspicious body and link
- Link: Mamba 2FA phishing kit
- Link: Microsoft protected message with matching sender and recipient addresses
- Link: PDF and financial display text to free file host
- Link: PDF filename impersonation with credential theft language
- Link: QR code in EML attachment with credential phishing indicators
- Link: QR code with phishing disposition in img or pdf
- Link: QR Code with suspicious language (untrusted sender)
- Link: QuickBooks image lure with suspicious link
- Link: Self-sender with sender org in subject and credential theft indicator
- macOS malware: Compiled AppleScript with document double-extension
- MalwareBazaar: Malicious attachment hash (trusted reporters)
- MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
- Non-RFC compliant calendar files from unsolicited sender
- Open Redirect: Google domain with /url path and suspicious indicators
- Open redirect: Hakumonkai.org
- Open redirect: Indeed
- Open redirect: Linkedin
- Open redirect: typedrawers.com
- Open redirect: YouTube
- PDF attachment with Google (AE) redirecting to a php or zip file
- PhaaS: Impact Solutions (Impact Vector Suite)
- PHP Mailer with common phishing attachments
- QR Code with suspicious indicators
- Reconnaissance: Large unknown recipient list
- Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment
- Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
- Scam: Piano giveaway
- Self-sent fake PDF attachment with misleading link
- Service abuse: Citrix ShareFile impersonation via Outlook plugin
- Service abuse: Monday.com infrastructure with phishing intent
- Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
- Spam: Unsolicited malformed PDF
- Stripe invoice abuse
- Suspicious attachment with unscannable Cloudflare link
- Suspicious attachment: Duplicate decoy PDF files
- Suspicious invoice reference with missing or image-only attachments
- Suspicious message with unscannable Cloudflare link
- Suspicious message with unscannable Vercel link
- Suspicious Office 365 app authorization (OAuth) link
- Suspicious VBA macros from untrusted sender
- URI protocol handler: search-ms
- URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)
- VIP / Executive impersonation (strict match, untrusted)
- VIP / Executive impersonation in subject (untrusted)
- VIP impersonation with charitable donation fraud
- X (Twitter) impersonation with credential phishing motives