diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml
new file mode 100644
index 00000000000..079e2e7154a
--- /dev/null
+++ b/detection-rules/attachment_adobe_image_lure_fts.yml
@@ -0,0 +1,42 @@
+name: "Attachment: Adobe image lure with suspicious link from first time sender"
+description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(filter(attachments, .file_type not in $file_types_images)) == 0
+  and length(body.links) > 0
+  and all(body.links, .display_text is null)
+  and any(attachments,
+          any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw,
+                                "*review*",
+                                "*sign*",
+                                "*view*",
+                                "*completed document*",
+                                "*open agreement*"
+                  )
+          )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Image as content"
+  - "Impersonation: Brand"
+detection_methods:
+  - "Content analysis"
+  - "Computer Vision"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
+id: "1d7add81-9822-576a-bcae-c4440e75e393"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml
new file mode 100644
index 00000000000..a375c145c08
--- /dev/null
+++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml
@@ -0,0 +1,33 @@
+name: "Attachment: Any HTML file within archive (unsolicited)"
+description: "Recursively scans archives to detect HTML files from unsolicited senders. \n\nHTML files can be used for HTML smuggling and embedded in archives to evade detection.\n"
+references:
+  - "https://twitter.com/executemalware/status/1537569201577156611"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension in~ $file_extensions_common_archives
+          and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "6a67c02c-d405-531e-850a-1722849c5fe4"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml
new file mode 100644
index 00000000000..e2c0fdc262b
--- /dev/null
+++ b/detection-rules/attachment_any_html_new_sender.yml
@@ -0,0 +1,32 @@
+name: "Attachment: Any HTML file (first-time sender)"
+description: |
+  Potential HTML smuggling attacks from new senders.
+  Use if passing HTML files is not normal behavior in your environment.
+  This rule may be expanded to inspect HTML attachments for suspicious code.
+references:
+  - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript"
+  - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
+
+  // first-time sender
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+tactics_and_techniques:
+  - "HTML smuggling"
+detection_methods:
+  - "HTML analysis"
+  - "Sender analysis"
+id: "57a8f5c5-c4c4-5268-b452-e381dc64ea42"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
new file mode 100644
index 00000000000..c4dba5a3911
--- /dev/null
+++ b/detection-rules/attachment_any_html_unsolicited.yml
@@ -0,0 +1,33 @@
+name: "Attachment: Any HTML file (unsolicited)"
+description: |
+  Potential HTML smuggling attacks in unsolicited messages.
+  Use if passing HTML files is not normal behavior in your environment.
+  This rule may be expanded to inspect HTML attachments for suspicious code.
+references:
+  - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript"
+  - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd"
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
+
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+tactics_and_techniques:
+  - "HTML smuggling"
+detection_methods:
+  - "File analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "ef36763f-917d-5338-b1ac-84047334dce8"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml
new file mode 100644
index 00000000000..e02fc6c587e
--- /dev/null
+++ b/detection-rules/attachment_callback_phish_with_img.yml
@@ -0,0 +1,66 @@
+name: "Attachment: Callback Phishing solicitation via image file"
+description: "A fraudulent invoice/receipt found in an image attachment.\nCallback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. \nThe resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.\n"
+type: "rule"
+authors:
+  - twitter: "vector_sec"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  and sender.email.domain.root_domain in $free_email_providers
+  and any(attachments,
+          .file_type in $file_types_images
+          and any(file.explode(.),
+                  4 of (
+                    strings.icontains(.scan.ocr.raw, "purchase"),
+                    strings.icontains(.scan.ocr.raw, "subscription"),
+                    strings.icontains(.scan.ocr.raw, "antivirus"),
+                    strings.icontains(.scan.ocr.raw, "order"),
+                    strings.icontains(.scan.ocr.raw, "support"),
+                    strings.icontains(.scan.ocr.raw, "receipt"),
+                    strings.icontains(.scan.ocr.raw, "amount"),
+                    strings.icontains(.scan.ocr.raw, "charged"),
+                    strings.icontains(.scan.ocr.raw, "invoice"),
+                    strings.icontains(.scan.ocr.raw, "call"),
+                    strings.icontains(.scan.ocr.raw, "cancel"),
+                    strings.icontains(.scan.ocr.raw, "renew"),
+                    strings.icontains(.scan.ocr.raw, "refund"),
+                    strings.icontains(.scan.ocr.raw, "+1")
+                  )
+          )
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw,
+                                "*geek squad*",
+                                "*lifelock*",
+                                "*best buy*",
+                                "*mcafee*",
+                                "*norton*",
+                                "*ebay*",
+                                "*paypal*",
+                                "*secure anywhere*"
+                  )
+          )
+  )
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+  - "Out of band pivot"
+  - "Social engineering"
+  - "Image as content"
+detection_methods:
+  - "Content analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
+  - "Computer Vision"
+id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml
new file mode 100644
index 00000000000..f9bc313dd52
--- /dev/null
+++ b/detection-rules/attachment_callback_phish_with_pdf.yml
@@ -0,0 +1,21 @@
+name: "Attachment: Callback Phishing solicitation via pdf file"
+description: "A fraudulent invoice/receipt found in an single page pdf attachment.\nCallback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. \nThe resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.\n"
+type: "rule"
+severity: "high"
+source: "type.inbound\nand (\n  not profile.by_sender().solicited\n  or (\n    profile.by_sender().any_messages_malicious_or_spam\n    and not profile.by_sender().any_false_positives\n  )\n)\n\n// single attachment\nand length(attachments) == 1\n\n// sender is freemail\nand sender.email.domain.root_domain in $free_email_providers\n\n// the attachment is a pdf with 1 page, and at least 60 ocr chars\nand any(attachments,\n        .file_extension == \"pdf\"\n        and any(file.explode(.), .scan.exiftool.page_count == 1)\n        and any(file.explode(.), length(.scan.ocr.raw) > 60)\n\n        // 4 of the following strings are found        \n        and any(file.explode(.),\n                4 of (\n                  strings.icontains(.scan.ocr.raw, \"purchase\"),\n                  strings.icontains(.scan.ocr.raw, \"payment\"),\n                  strings.icontains(.scan.ocr.raw, \"transaction\"),\n                  strings.icontains(.scan.ocr.raw, \"subscription\"),\n                  strings.icontains(.scan.ocr.raw, \"antivirus\"),\n                  strings.icontains(.scan.ocr.raw, \"order\"),\n                  strings.icontains(.scan.ocr.raw, \"support\"),\n                  strings.icontains(.scan.ocr.raw, \"help line\"),\n                  strings.icontains(.scan.ocr.raw, \"receipt\"),\n                  strings.icontains(.scan.ocr.raw, \"invoice\"),\n                  strings.icontains(.scan.ocr.raw, \"call\"),\n                  strings.icontains(.scan.ocr.raw, \"helpdesk\"),\n                  strings.icontains(.scan.ocr.raw, \"cancel\"),\n                  strings.icontains(.scan.ocr.raw, \"renew\"),\n                  strings.icontains(.scan.ocr.raw, \"refund\"),\n                  regex.icontains(.scan.ocr.raw, '\\+\\d')\n                )\n        )\n\n        // 1 of the following strings is found, representing common Callback brands          \n        and any(file.explode(.),\n                1 of (\n                  strings.icontains(.scan.ocr.raw, \"geek squad\"),\n                  strings.icontains(.scan.ocr.raw, \"lifelock\"),\n                  strings.icontains(.scan.ocr.raw, \"best buy\"),\n                  strings.icontains(.scan.ocr.raw, \"mcafee\"),\n                  strings.icontains(.scan.ocr.raw, \"norton\"),\n                  strings.icontains(.scan.ocr.raw, \"ebay\"),\n                  strings.icontains(.scan.ocr.raw, \"paypal\"),\n                )\n        )\n)\n"
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+  - "Out of band pivot"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "Exif analysis"
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "ac33f097-af20-554c-b29a-56f21be1b285"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
index c91aa98bc7e..cede0e1e03b 100644
--- a/detection-rules/attachment_docusign_image_suspicious_links.yml
+++ b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -26,24 +26,10 @@ source: |
           )
   )
   and (
-    (
-      (
-        sender.email.domain.root_domain in $free_email_providers
-        and sender.email.email not in $sender_emails
-      )
-      or (
-        sender.email.domain.root_domain not in $free_email_providers
-        and sender.email.domain.domain not in $sender_domains
-      )
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
     or (
-      sender.email.email in $sender_emails
-      and any(distinct(headers.hops, .received_spf.verdict is not null),
-              regex.icontains(.received_spf.verdict, "fail|error")
-              or any(distinct(headers.hops, .authentication_results.dmarc is not null),
-                     strings.ilike(.authentication_results.dmarc, "*fail")
-              )
-      )
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
     )
   )
 attack_types:
@@ -60,5 +46,5 @@ detection_methods:
   - "Sender analysis"
   - "URL screenshot"
 id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"
-testing_pr: 761
-testing_sha: 6513d69b03e871af705d1e93d672104ee05f1023
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml
new file mode 100644
index 00000000000..a7900651b1c
--- /dev/null
+++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml
@@ -0,0 +1,36 @@
+name: "Attachment: Dropbox image lure with no Dropbox domains in links"
+description: "Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(filter(attachments, .file_type not in $file_types_images)) == 0
+  and any(body.links, not strings.ilike(.href_url.domain.root_domain, "dropbox.*"))
+  and any(attachments,
+          .file_type in $file_types_images
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw, "*dropbox*")
+                  and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
+          )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "500eee2d-d793-5450-a87f-825ce27c897d"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml
new file mode 100644
index 00000000000..ac00005f3cf
--- /dev/null
+++ b/detection-rules/attachment_eml_with_html_attachment.yml
@@ -0,0 +1,68 @@
+name: "Attachment: EML file with HTML attachment (unsolicited)"
+description: |
+  Detects HTML files in EML attachments from unsolicited senders.
+
+  Reduces attack surface against HTML smuggling.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+
+  // has EML attachment
+  and any(attachments,
+          .content_type == "message/rfc822"
+          and any(file.explode(.),
+
+                  // HTML file inside EML attachment
+                  // we've seen files named ".htm.", which results in an empty
+                  // .file_extension, so instead we look at .file_name
+                  // they should be rare enough in EML attachments to not cause
+                  // extraneous FPs
+                  strings.ilike(.file_name, "*htm*")
+
+          // optional: we can add additional signals here if necessary
+          // identify at least one additional suspicious signal in the message
+          // and (
+          //     // html smuggling signals
+          //     any(.scan.javascript.identifiers, . == "unescape") or
+          //     any(.scan.strings.strings, regex.icontains(., "eval")) or
+          //     // more signals here if needed
+
+          //     // commonly abused sender TLD
+          //     strings.ilike(sender.email.domain.tld, "*.jp")
+          // )
+          )
+  )
+
+  // exclude bounce backs & read receipts
+  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
+  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
+  and not any(attachments, .content_type == "message/delivery-status")
+  // if the "References" is in the body of the message, it's probably a bounce
+  and not any(headers.references, strings.contains(body.html.display_text, .))
+
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "c24fd191-1685-5cb8-83ef-618225401332"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
new file mode 100644
index 00000000000..9e0bb9fe0b1
--- /dev/null
+++ b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
@@ -0,0 +1,40 @@
+name: "Attachment: Emotet heavily padded doc in zip file"
+description: "Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. \nContents may include Red Dawn templates exceeding 500MB.\n"
+references:
+  - "https://twitter.com/Cryptolaemus1/status/1633099154623803394"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension == "zip"
+          and any(file.explode(.),
+                  .depth == 0
+                  and .size < 1000000
+                  and not .depth > 0
+                  and strings.ends_with(.scan.exiftool.zip_file_name, ".doc")
+                  and .scan.exiftool.zip_uncompressed_size > 500000000
+          )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Malfam: Emotet"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "Exif analysis"
+  - "File analysis"
+  - "Sender analysis"
+id: "9a5332ed-0023-5d6e-89d3-bd789c3bde6f"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml
new file mode 100644
index 00000000000..83807c78689
--- /dev/null
+++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml
@@ -0,0 +1,35 @@
+name: "Attachment: Encrypted Microsoft Office file (unsolicited)"
+description: |
+  Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products.
+  Use if receiving encrypted attachments is not normal behavior in your environment.
+references:
+  - "https://www.cyren.com/blog/articles/anatomy-of-an-attack-password-protected-files-attached-to-emails"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension in~ $file_extensions_macros
+          and file.oletools(.).indicators.encryption.exists
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Macros"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "OLE analysis"
+  - "Sender analysis"
+id: "1e47e953-576c-5ba9-b84e-b72a1a89de87"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml
index 98775e1f75c..a961f330e31 100644
--- a/detection-rules/attachment_html_attachment_login_page.yml
+++ b/detection-rules/attachment_html_attachment_login_page.yml
@@ -9,89 +9,7 @@ type: "rule"
 severity: "medium"
 authors:
   - twitter: "ajpc500"
-source: |
-  type.inbound
-  and any(attachments,
-          (
-            .file_extension in~ ("html", "htm", "shtml", "dhtml")
-            or .file_extension in~ $file_extensions_common_archives
-            or .file_type == "html"
-          )
-          and any(file.explode(.),
-                  // suspicious strings found in javascript
-                  (
-                    length(filter(.scan.javascript.strings, strings.ilike(., "*password*", ))) >= 2
-                    and 2 of (
-                      any(.scan.javascript.strings, strings.ilike(., "*incorrect*")),
-                      any(.scan.javascript.strings, strings.ilike(., "*invalid*")),
-                      any(.scan.javascript.strings, strings.ilike(., "*login*")),
-                      any(.scan.javascript.strings, regex.icontains(., "sign.in")),
-                    )
-                  )
-                  or (
-                    // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
-                    length(filter(.scan.strings.strings, strings.ilike(., "*password*", ))) >= 2
-                    and 2 of (
-                      any(.scan.strings.strings, strings.ilike(., "*incorrect*")),
-                      any(.scan.strings.strings, strings.ilike(., "*invalid*")),
-                      any(.scan.strings.strings, strings.ilike(., "*login*")),
-                      any(.scan.strings.strings, strings.ilike(., "*<script>*")),
-                      any(.scan.strings.strings, regex.icontains(., "sign.in")),
-                      any(.scan.strings.strings,
-                          regex.icontains(.,
-                                          '<title>.[^<]+(Payment|Invoice|Statement|Login|Microsoft|Email|Excel)'
-                          )
-                      )
-                    )
-                  )
-                  or
-                  //Known phishing obfuscation
-                  2 of (
-                    // Enter password
-                    any(.scan.strings.strings,
-                        strings.ilike(.,
-                                      "*&#69;&#110;&#116;&#101;&#114;&#32;&#112;&#97;&#115;&#115;&#119;&#111;&#114;&#100*"
-                        )
-                    ),
-
-                    // Forgotten my password
-                    any(.scan.strings.strings,
-                        strings.ilike(.,
-                                      "*&#70;&#111;&#114;&#103;&#111;&#116;&#116;&#101;&#110;&#32;&#109;&#121;&#32;&#112;&#97;&#115;&#115;&#119;&#111;&#114;&#100*"
-                        )
-                    ),
-
-                    // Sign in
-                    any(.scan.strings.strings,
-                        strings.ilike(., "*&#83;&#105;&#103;&#110;&#32;&#105;&#110*")
-                    )
-                  )
-          )
-  )
-  and (
-    (
-      // exclude internal mailers where there is no SPF configured.
-      // if the sender's root domain is an org domain, we
-      // ensure there's no SPF failures to protect against spoofs.
-      // we use root_domain because it's typically subdomains that are misconfigured
-      sender.email.domain.root_domain in $org_domains
-      and not any(distinct(headers.hops, .received_spf.verdict is not null),
-                  strings.ilike(.received_spf.verdict, "*fail")
-      )
-    )
-    or sender.email.domain.root_domain not in $org_domains
-  )
-  // Unsolicited
-  and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
-  )
+source: "type.inbound\nand any(attachments,\n        (\n          .file_extension in~ (\"html\", \"htm\", \"shtml\", \"dhtml\")\n          or .file_extension in~ $file_extensions_common_archives\n          or .file_type == \"html\"\n        )\n        and any(file.explode(.),\n                // suspicious strings found in javascript\n                (\n                  length(filter(.scan.javascript.strings, strings.ilike(., \"*password*\", ))) >= 2\n                  and 2 of (\n                    any(.scan.javascript.strings, strings.ilike(., \"*incorrect*\")),\n                    any(.scan.javascript.strings, strings.ilike(., \"*invalid*\")),\n                    any(.scan.javascript.strings, strings.ilike(., \"*login*\")),\n                    any(.scan.javascript.strings, regex.icontains(., \"sign.in\")),\n                  )\n                )\n                or (\n                  // suspicious strings found outside of javascript, but binexplode'd file still of HTML type\n                  length(filter(.scan.strings.strings, strings.ilike(., \"*password*\", ))) >= 2\n                  and 2 of (\n                    any(.scan.strings.strings, strings.ilike(., \"*incorrect*\")),\n                    any(.scan.strings.strings, strings.ilike(., \"*invalid*\")),\n                    any(.scan.strings.strings, strings.ilike(., \"*login*\")),\n                    any(.scan.strings.strings, strings.ilike(., \"*<script>*\")),\n                    any(.scan.strings.strings, regex.icontains(., \"sign.in\")),\n                    any(.scan.strings.strings,\n                        regex.icontains(.,\n                                        '<title>.[^<]+(Payment|Invoice|Statement|Login|Microsoft|Email|Excel)'\n                        )\n                    )\n                  )\n                )\n                or \n                //Known phishing obfuscation\n                2 of (\n                  // Enter password\n                  any(.scan.strings.strings,\n                      strings.ilike(.,\n                                    \"*&#69;&#110;&#116;&#101;&#114;&#32;&#112;&#97;&#115;&#115;&#119;&#111;&#114;&#100*\"\n                      )\n                  ),\n\n                  // Forgotten my password  \n                  any(.scan.strings.strings,  \n                      strings.ilike(.,  \n                                    \"*&#70;&#111;&#114;&#103;&#111;&#116;&#116;&#101;&#110;&#32;&#109;&#121;&#32;&#112;&#97;&#115;&#115;&#119;&#111;&#114;&#100*\"\n                      )\n                  ),\n\n                  // Sign in\n                  any(.scan.strings.strings,\n                      strings.ilike(., \"*&#83;&#105;&#103;&#110;&#32;&#105;&#110*\")\n                  )\n                )\n        )\n)\n// Unsolicited\nand (\n  not profile.by_sender().solicited\n  or (\n    profile.by_sender().any_messages_malicious_or_spam\n    and not profile.by_sender().any_false_positives\n  )\n)\n"
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -104,5 +22,5 @@ detection_methods:
   - "Javascript analysis"
   - "Sender analysis"
 id: "3aabf4a7-fefa-5266-83fe-012002c9db4a"
-testing_pr: 730
-testing_sha: dce0d97bad4e06708cd4322d3acc5b9d0a81501f
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml
new file mode 100644
index 00000000000..68210d8e4f2
--- /dev/null
+++ b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml
@@ -0,0 +1,56 @@
+name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment"
+description: |
+  Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
+references:
+  - "https://twitter.com/pr0xylife/status/1593325734004768770"
+  - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
+  - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
+  - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
+type: "rule"
+severity: "high"
+authors:
+  - twitter: "ajpc500"
+source: |
+  type.inbound
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  and any(attachments,
+          .file_extension in ("html", "htm")
+          and any(file.explode(.),
+                  any(.scan.strings.strings,
+                      strings.ilike(.,
+                                    // Double Base64 encoded zips
+                                    "*VUVzREJCUUFBUUFJQ*",
+                                    "*VFc0RCQlFBQVFBSU*",
+                                    "*VRXNEQkJRQUFRQUlB*",
+                                    // Reversed base64 strings double encoded zips
+                                    "*QJFUUBFUUCJERzVUV*",
+                                    "*USBFVQBFlQCR0cFV*",
+                                    "*BlUQRFUQRJkQENXRV*"
+                      )
+                  )
+          )
+  )
+tags:
+  - "Malfam: QakBot"
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "61ebb07b-264e-59fb-a82c-d91957991081"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml
new file mode 100644
index 00000000000..52598dfd1bb
--- /dev/null
+++ b/detection-rules/attachment_html_smuggling_microsoft_signin.yml
@@ -0,0 +1,53 @@
+name: "Attachment: HTML Smuggling Microsoft Sign In"
+description: |
+  Scans HTML files to detect HTML smuggling techniques impersonating a Microsoft login page.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml")
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+          )
+          and any(file.explode(.),
+                  .scan.entropy.entropy >= 5.8
+                  and .flavors.mime == "text/html"
+                  and length(.scan.javascript.identifiers) == 0
+                  and any(.scan.url.urls,
+                          .domain.domain not in $tranco_1m
+                          or .domain.root_domain in $free_subdomain_hosts
+                  )
+
+                  // seen in the wild: "sign in to your account", "sign in to your microsoft account"
+                  and strings.ilike(.scan.html.title, "*sign in*", "*microsoft*")
+          )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  // allow Microsoft domains just to be safe
+  and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free subdomain host"
+  - "HTML smuggling"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Javascript analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "878d6385-95c2-5540-a887-a6fa9456409c"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml
new file mode 100644
index 00000000000..352f71ec66f
--- /dev/null
+++ b/detection-rules/attachment_js_file_execution.yml
@@ -0,0 +1,40 @@
+name: "Attachment: File execution via Javascript"
+description: |
+  Javascript contains identifiers or strings that may attempt to execute files.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_type in $file_extensions_common_archives
+          and any(beta.binexplode(.),
+                  any(.scan.javascript.identifiers, strings.ilike(., 'ActiveXObject', 'ShellExecute'))
+                  or (
+                    length(.scan.javascript.strings) > 0
+                    and all(.scan.javascript.strings, strings.ilike(., 'Shell.Application', '*.exe'))
+                  )
+          )
+  )
+  // first-time sender
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Javascript analysis"
+  - "Sender analysis"
+id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml
new file mode 100644
index 00000000000..61962e88720
--- /dev/null
+++ b/detection-rules/attachment_malwarebazaar.yml
@@ -0,0 +1,25 @@
+name: "MalwareBazaar: Malicious attachment hash (trusted reporters)"
+description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from first-time senders."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters)
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Abusech: MalwareBazaar"
+attack_types:
+  - "Malware/Ransomware"
+detection_methods:
+  - "File analysis"
+  - "Sender analysis"
+  - "Threat intelligence"
+id: "5b5c9c3e-92c2-56cd-ad0d-1a2e195fa2b4"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml
new file mode 100644
index 00000000000..07ce54114c8
--- /dev/null
+++ b/detection-rules/attachment_mht_embedded_vbscript.yml
@@ -0,0 +1,38 @@
+name: "Attachment: Embedded VBScript in MHT file (unsolicited)"
+description: |
+  MHT files can be used to run VBScript, which can run malicious code.
+references:
+  - "https://delivr.to/payloads?id=edc7744f-78bc-4c18-9554-58c35ba9aca5"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          (.file_extension =~ "mht" or .file_extension in~ $file_extensions_common_archives)
+
+          // ensure there's an mht file (if it's in an archive)
+          and any(file.explode(.), .file_extension =~ "mht")
+          and any(file.explode(.), any(.scan.html.scripts, .language == "VBScript"))
+  )
+
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "b30353a6-773e-5b6d-9252-751b5bc95799"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
new file mode 100644
index 00000000000..5f6ce2128e1
--- /dev/null
+++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -0,0 +1,20 @@
+name: "Brand impersonation: Microsoft (QR code)"
+description: |
+  Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
+type: "rule"
+severity: "high"
+source: "type.inbound\nand (\n  any(attachments,\n      .file_type in $file_types_images\n      and any(ml.logo_detect(.).brands, strings.starts_with(.name, \"Microsoft\"))\n  )\n  or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, \"Microsoft\"))\n)\nand any(attachments,\n        .file_type in $file_types_images\n        and (\n          any(file.explode(.),\n              regex.icontains(.scan.ocr.raw, 'scan|camera')\n              and regex.icontains(.scan.ocr.raw, '\\bQR\\b|Q\\.R\\.|barcode')\n          )\n          or (\n            any(file.explode(.),\n                .scan.qr.type == \"url\"\n                // recipient email address is present in the URL, a common tactic used in credential phishing attacks \n                and any(recipients.to,\n                        strings.icontains(..scan.qr.data, .email.email)\n                        \n                         // the recipients sld is in the senders display name\n                        or any(recipients.to,\n                            strings.icontains(sender.display_name, .email.domain.sld)\n                        )\n\n                        // the recipient local is in the body  \n                        or any(recipients.to,\n                               strings.icontains(body.current_thread.text, .email.local_part)\n                        )\n\n                        // or the body is null \n                        or body.current_thread.text is null\n                        or body.current_thread.text == \"\"\n\n                        // or the subject contains authentication/urgency verbiage\n                        or regex.contains(subject.subject,\n                                          \"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)\"\n                        )\n                )\n            )\n          )\n        )\n)\nand (\n  not any(headers.hops,\n          .authentication_results.compauth.verdict is not null\n          and .authentication_results.compauth.verdict == \"pass\"\n          and sender.email.domain.domain == \"microsoft.com\"\n  )\n)\n// unsolicited\nand (\n  not profile.by_sender().solicited\n  or (\n    profile.by_sender().any_messages_malicious_or_spam\n    and not profile.by_sender().any_false_positives\n  )\n)\n"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Header analysis"
+  - "QR code analysis"
+  - "Sender analysis"
+id: "ed0f772a-6543-5947-80d1-55a11ea63074"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml
new file mode 100644
index 00000000000..6acdb37a64c
--- /dev/null
+++ b/detection-rules/attachment_office365_image.yml
@@ -0,0 +1,78 @@
+name: "Attachment: Office365 image (unsolicited)"
+description: |
+  Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(filter(attachments, .file_type not in $file_types_images)) == 0
+  and (
+    any(attachments,
+        .file_type in $file_types_images
+        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
+    )
+    or any(attachments,
+           .file_type in $file_types_images
+           and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*microsoft*", "*office"))
+    )
+  )
+  and any(attachments,
+          .file_type in $file_types_images
+          and any(file.explode(.),
+                  length(filter([
+                                  "password",
+                                  "unread messages",
+                                  "Shared Documents",
+                                  "expiration",
+                                  "office",
+                                  "expire",
+                                  "expiring",
+                                  "kindly",
+                                  "renew",
+                                  "review",
+                                  "emails failed",
+                                  "kicked out",
+                                  "prevented",
+                                  "storage",
+                                  "required now",
+                                  "cache",
+                                  "qr code",
+                                  "security update",
+                                  "invoice",
+                                  "retrieve"
+
+                                ],
+                                strings.icontains(..scan.ocr.raw, .)
+                         )
+                  ) >= 2
+          )
+  )
+  and (
+    not any(headers.hops,
+            .authentication_results.compauth.verdict is not null
+            and .authentication_results.compauth.verdict == "pass"
+            and sender.email.domain.domain in ("microsoft.com", "sharepointonline.com")
+    )
+  )
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "edce0229-5e8f-5359-a5c8-36570840049f"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml
new file mode 100644
index 00000000000..6c577842f9d
--- /dev/null
+++ b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml
@@ -0,0 +1,43 @@
+name: "Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender"
+description: |
+  Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
+  abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension == "pdf"
+          and any(file.explode(.),
+                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                      .name == "cred_theft" and .confidence == "high"
+                  )
+                  and strings.icontains(.scan.ocr.raw, "password-protected")
+                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
+                          .name == "org" and .text == "Adobe"
+                  )
+          )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Impersonation: Brand"
+  - "PDF"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "5ea75469-58e8-561e-9a19-24da14a946b7"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
new file mode 100644
index 00000000000..e16b3e602e9
--- /dev/null
+++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
@@ -0,0 +1,41 @@
+name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
+description: |
+  Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any([body.plain.raw, body.html.inner_text],
+          any(ml.nlu_classifier(.).entities, .name == "request")
+  )
+  and any(attachments,
+          .file_extension == "pdf"
+          and any(file.explode(.),
+                  any(.scan.pdf.urls,
+                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
+                      and .domain.root_domain not in $tranco_1m
+                  )
+          )
+  )
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Malfam: Ave Maria"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Sender analysis"
+id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml
new file mode 100644
index 00000000000..48952ddfbd7
--- /dev/null
+++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml
@@ -0,0 +1,44 @@
+name: "Attachment: PDF file with low reputation link to ZIP file (unsolicited)"
+description: |
+  Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
+type: "rule"
+severity: "medium"
+authors:
+  - name: "Michael Tingle"
+source: |
+  type.inbound
+  and any([body.plain.raw, body.html.inner_text],
+          any(ml.nlu_classifier(.).entities, .name == "request")
+  )
+  and any(attachments,
+          .file_extension == "pdf"
+          and any(file.explode(.),
+                  any(.scan.pdf.urls,
+                      regex.contains(.url, '\.(?:zip)') and .domain.root_domain not in $tranco_1m
+                  )
+          )
+  )
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+tags:
+  - "Malfam: QakBot"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"
+id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml
new file mode 100644
index 00000000000..29ce03d5c24
--- /dev/null
+++ b/detection-rules/attachment_soliciting_enable_macros.yml
@@ -0,0 +1,40 @@
+name: "Attachment soliciting user to enable macros"
+description: |
+  Recursively scans files and archives to detect documents that ask the
+  user to enable macros, including if that text appears within an embedded image.
+references:
+  - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or .file_extension in~ $file_extensions_common_archives
+          )
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw, "*please*enable*macros")
+                  or any(.scan.strings.strings, strings.ilike(., "*please enable macros*"))
+          )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Macro analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "e9d75515-8d64-531d-8ccb-9153150d0ee3"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
new file mode 100644
index 00000000000..446953e8467
--- /dev/null
+++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
@@ -0,0 +1,30 @@
+name: "Attachment: Suspicious VBA macros from first-time sender"
+description: |
+  Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension in~ $file_extensions_macros
+          and ml.macro_classifier(.).malicious
+          and ml.macro_classifier(.).confidence in ("high")
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+detection_methods:
+  - "File analysis"
+  - "Macro analysis"
+  - "Sender analysis"
+id: "37cec120-2757-5e99-a489-1315780dae08"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml
new file mode 100644
index 00000000000..d2fa6adb783
--- /dev/null
+++ b/detection-rules/attachment_svg_embedded_js.yml
@@ -0,0 +1,44 @@
+name: "Attachment: Embedded Javascript in SVG file (unsolicited)"
+description: |
+  Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
+references:
+  - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
+  - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
+  - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
+  - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          (.file_extension =~ "svg" or .file_extension in $file_extensions_common_archives)
+          and any(file.explode(.),
+                  .file_extension == "svg"
+                  and "script" in~ .scan.xml.tags
+                  // unclear if this is necessary, but it's been observed
+                  // in all payloads we've seen, so we'll include it
+                  // as an extra FP precaution
+                  and any(.scan.strings.strings, strings.icontains(., "CDATA"))
+          )
+  )
+
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Sender analysis"
+  - "XML analysis"
+id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
new file mode 100644
index 00000000000..591e21d3e8b
--- /dev/null
+++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
@@ -0,0 +1,42 @@
+name: "Attachment with auto-executing macro (unsolicited)"
+description: |
+  Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened.
+
+  Macros are a common phishing technique used to deploy malware.
+references:
+  - "https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension in~ $file_extensions_macros
+          and any(file.oletools(.).macros.keywords, .type =~ "autoexec")
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate replies
+  and (
+    length(headers.references) == 0
+    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+detection_methods:
+  - "Archive analysis"
+  - "Header analysis"
+  - "File analysis"
+  - "Macro analysis"
+  - "OLE analysis"
+  - "Sender analysis"
+id: "af6624c3-2a28-5fbb-8936-fb29e55dd29d"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26
diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
new file mode 100644
index 00000000000..3f5db58ae31
--- /dev/null
+++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
@@ -0,0 +1,35 @@
+name: "Attachment with auto-opening VBA macro (unsolicited)"
+description: |
+  Recursively scans files and archives to detect embedded VBA files with an auto open exec.
+references:
+  - "https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or .file_extension in~ $file_extensions_common_archives
+          )
+          and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen"))
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Macro analysis"
+  - "Sender analysis"
+id: "d48b3e53-dee4-546b-b81a-0c781929fdfb"
+testing_pr: 815
+testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26