Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: 7z Archive Containing RAR File	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Any HTML file within archive (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis
Attachment: Archive containing disallowed file type	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Archive containing HTML file with file scheme link	Sublime Security	1mo ago Mar 17th, 2026	Credential Phishing Evasion Exploit HTML smuggling Social engineering Archive analysis File analysis HTML analysis
Attachment: Archive contains DLL-loading macro	Sublime Security	3y ago Dec 28th, 2023	Malware/Ransomware Exploit LNK Macros Scripting Archive analysis File analysis Macro analysis YARA
Attachment: Archive with embedded CHM file	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Archive with embedded EXE file	Sublime Security	2y ago Feb 27th, 2024	Malware/Ransomware Evasion Archive analysis File analysis YARA
Attachment: Archive with pdf, txt and wsf files	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis
Attachment: Base64 encoded bash command in filename	@vector_sec	7mo ago Sep 5th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Content analysis
Attachment: cmd file extension	Sublime Security	2mo ago Feb 9th, 2026	Malware/Ransomware Scripting Archive analysis File analysis
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Exploit Macros Scripting Archive analysis Content analysis File analysis Macro analysis OLE analysis
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability	Sublime Security	1y ago Mar 21st, 2025	Credential Phishing Scripting Macros Exploit Archive analysis Content analysis File analysis
Attachment: DocX embedded binary	Sublime Security	8mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis YARA
Attachment: DOCX with hyperlink targeting recipient address	Sublime Security	4mo ago Dec 17th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering File analysis Archive analysis XML analysis
Attachment: Double base64-encoded zip file in HTML smuggling attachment	@ajpc500	8mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: Embedded Javascript in SVG file	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis File analysis Sender analysis XML analysis
Attachment: Embedded VBScript in MHT file (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis HTML analysis Sender analysis
Attachment: EML with Encrypted ZIP	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Archive analysis File analysis YARA
Attachment: EML with QR code redirecting to Cloudflare challenges	Sublime Security	23d ago Apr 1st, 2026	Credential Phishing Malware/Ransomware Evasion QR code File analysis QR code analysis URL analysis Archive analysis
Attachment: Emotet heavily padded doc in zip file	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis Exif analysis File analysis Sender analysis
Attachment: Encrypted Microsoft Office file (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Macros Scripting Archive analysis File analysis OLE analysis Sender analysis
Attachment: Encrypted ZIP containing VHDX file	Sublime Security	21d ago Apr 3rd, 2026	Malware/Ransomware Encryption Evasion Archive analysis File analysis
Attachment: Encrypted zip file with payment-related lure	Sublime Security	5mo ago Nov 25th, 2025	BEC/Fraud Malware/Ransomware Encryption Evasion Social engineering Archive analysis Content analysis File analysis
Attachment: Excel Web Query File (IQY)	@jkcoote	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Fake Slack installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fake Zoom installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: File execution via Javascript	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis Javascript analysis Sender analysis
Attachment: Filename containing Unicode braille pattern blank character	@vector_sec	8mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Filename containing Unicode right-to-left override character	@vector_sec	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: HTML attachment with Javascript location	@vector_sec	8mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML attachment with login portal indicators	@ajpc500	3mo ago Jan 12th, 2026	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis Sender analysis
Attachment: HTML file contains exclusively Javascript	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling Microsoft sign in	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with atob and high entropy	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with auto-downloaded file	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with base64 encoded JavaScript function	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with base64 encoded ZIP file	Sublime Security	5mo ago Nov 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with concatenation obfuscation	@vector_sec	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with decimal encoding	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with embedded base64-encoded executable	Sublime Security	2y ago Mar 25th, 2024	Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis HTML analysis YARA
Attachment: HTML smuggling with embedded base64-encoded ISO	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling ISO Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: HTML smuggling with embedded base64 streamed file download	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware HTML smuggling Scripting Social engineering Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with eval and atob	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with fromCharCode and other signals	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML smuggling with hex strings	@ajpc500	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with high entropy and other signals	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis

99 Rules

Page 1 of 2