Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jun 23rd, 2026

Feed Source

GitHub

Attack Type is

Rule Name & Severity	Author	Last Updated	Labels
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure	Sublime Security	2mo ago Apr 6th, 2026	Credential Phishing Impersonation: Brand Evasion Social engineering URL analysis
Abuse: Robinhood injected content	Sublime Security	1mo ago Apr 30th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis Sender analysis
AnonymousFox indicators	Sublime Security	10mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Header analysis Sender analysis
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	19d ago Jun 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis
Attachment: Adobe Sign lure PDF with embedded banner images	Sublime Security	21d ago Jun 3rd, 2026	Credential Phishing PDF Impersonation: Brand File analysis YARA
Attachment: Any HTML file within archive (unsolicited)	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis
Attachment: Archive containing HTML file with file scheme link	Sublime Security	3mo ago Mar 17th, 2026	Credential Phishing Evasion Exploit HTML smuggling Social engineering Archive analysis File analysis HTML analysis
Attachment: Calendar file with invisible Unicode characters	Sublime Security	1mo ago Apr 28th, 2026	BEC/Fraud Credential Phishing Malware/Ransomware Evasion ICS Phishing File analysis Content analysis
Attachment: Calendar invite with Google redirect and invoice request	Sublime Security	1mo ago Apr 28th, 2026	Credential Phishing BEC/Fraud ICS Phishing Open redirect Social engineering File analysis Natural Language Understanding URL analysis
Attachment: Canva PDF with susupicious author metadata	Sublime Security	19d ago Jun 5th, 2026	BEC/Fraud Credential Phishing Free email provider PDF Exif analysis File analysis
Attachment: Compensation review lure with QR code	Sublime Security	2mo ago Apr 14th, 2026	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis
Attachment: Compensation-themed DOCX with QR code credential theft	Sublime Security	26d ago May 29th, 2026	Credential Phishing QR code Social engineering Impersonation: Brand File analysis Optical Character Recognition QR code analysis Natural Language Understanding Exif analysis Content analysis
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability	Sublime Security	1y ago Mar 21st, 2025	Credential Phishing Scripting Macros Exploit Archive analysis Content analysis File analysis
Attachment: Decoy PDF author (Julie P.)	Sublime Security	1mo ago Apr 29th, 2026	Credential Phishing Impersonation: Brand PDF File analysis Content analysis
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois
Attachment: DOCX with hyperlink targeting recipient address	Sublime Security	6mo ago Dec 17th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering File analysis Archive analysis XML analysis
Attachment: Double base64-encoded zip file in HTML smuggling attachment	@ajpc500	1mo ago Apr 27th, 2026	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: Dropbox image lure with no Dropbox domains in links	Sublime Security	11mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis
Attachment: EML containing a base64 encoded script	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	19d ago Jun 5th, 2026	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	10mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis
Attachment: EML file with IPFS links	Sublime Security	7mo ago Nov 4th, 2025	Credential Phishing Evasion Free file host Free subdomain host IPFS File analysis URL analysis
Attachment: EML with embedded Javascript in SVG file	Sublime Security	10mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis
Attachment: EML with link to credential phishing page	Sublime Security	11mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot
Attachment: EML with QR code redirecting to Cloudflare challenges	Sublime Security	2mo ago Apr 1st, 2026	Credential Phishing Malware/Ransomware Evasion QR code File analysis QR code analysis URL analysis Archive analysis
Attachment: EML with SharePoint files shared from GoDaddy federated tenants	Sublime Security	9mo ago Sep 23rd, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering File analysis URL analysis Content analysis
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	9mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis
Attachment: EML with suspicious indicators	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis
Attachment: Encrypted PDF With Credential Harvesting Indicators	Sublime Security	19d ago Jun 5th, 2026	Credential Phishing Encryption Evasion PDF File analysis YARA
Attachment: Encrypted PDF with credential theft body	Sublime Security	7d ago Jun 17th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Excel file with document sharing lure created by Go Excelize	Sublime Security	4mo ago Jan 29th, 2026	Credential Phishing Macros Social engineering File analysis Macro analysis Content analysis Exif analysis
Attachment: Excel file with suspicious template identifier	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Evasion Macros Exif analysis File analysis
Attachment: Excel Web Query File (IQY)	@jkcoote	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Fake attachment image lure	Sublime Security	19d ago Jun 5th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition
Attachment: Fake PDF Invoices Yara	Sublime Security	8d ago Jun 16th, 2026	Malware/Ransomware Credential Phishing PDF Social engineering Content analysis File analysis YARA
Attachment: Fake scan-to-email	Sublime Security	9mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Fake secure message and suspicious indicators	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Fake voicemail via PDF	Sublime Security	1mo ago Apr 30th, 2026	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis
Attachment: Finance themed PDF with observed phishing template	Sublime Security	3mo ago Mar 2nd, 2026	Credential Phishing PDF Evasion File analysis Content analysis
Attachment: HTML attachment with Javascript location	@vector_sec	10mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML attachment with login portal indicators	@ajpc500	5mo ago Jan 12th, 2026	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis Sender analysis
Attachment: HTML file contains exclusively Javascript	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts	Sublime Security	7mo ago Nov 3rd, 2025	Malware/Ransomware Credential Phishing HTML smuggling Scripting Evasion HTML analysis File analysis Content analysis
Attachment: HTML file with excessive padding and suspicious patterns	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling File analysis HTML analysis YARA
Attachment: HTML file with reference to recipient and suspicious patterns	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling Microsoft sign in	Sublime Security	1mo ago Apr 27th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling - QR Code with suspicious links	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing QR code Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot
Attachment: HTML smuggling with atob and high entropy	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis

764 Rules

Page 1 of 16