Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: HTML smuggling with raw array buffer	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Free subdomain host HTML smuggling Archive analysis Content analysis File analysis Javascript analysis
Attachment: HTML smuggling with RC4 decryption	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with ROT13	@Kyle_Parrish_	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML smuggling with setTimeout	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with unescape	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis
Attachment: HTML with obfuscation and recipient's email in JavaScript strings	Sublime Security	7mo ago Sep 25th, 2025	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis
Attachment: JavaScript file with suspicious base64-encoded executable	Sublime Security	2y ago Apr 1st, 2024	Malware/Ransomware Evasion Scripting Archive analysis File analysis YARA
Attachment: LNK file	@ajpc500	3y ago Aug 21st, 2023	Malware/Ransomware LNK Archive analysis File analysis
Attachment: Macro files containing MHT content	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion Macros Scripting Archive analysis File analysis Macro analysis
Attachment: Malicious OneNote commands	@Kyle_Parrish_	3mo ago Jan 12th, 2026	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA
Attachment: MSI installer file	@ajpc500	8mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Office document loads remote document template	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Archive analysis File analysis URL analysis
Attachment: Office document with VSTO add-in	@vector_sec	3mo ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis
Attachment: Office file with credential phishing URLs	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis Archive analysis Content analysis
Attachment: Office file with document sharing and browser instruction lures	Sublime Security	2mo ago Jan 29th, 2026	Credential Phishing Social engineering Evasion Archive analysis File analysis Macro analysis Optical Character Recognition Content analysis
Attachment: Office file with suspicious function calls or downloaded file path	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis
Attachment: OLE external relationship containing file scheme link to executable filetype	Sublime Security	5mo ago Nov 24th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis
Attachment: OLE external relationship containing file scheme link to IP address	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis
Attachment: PDF with link to DMG file download	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with link to zip containing a wsf file	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PowerShell content	@ajpc500	8mo ago Aug 5th, 2025	Malware/Ransomware Scripting Archive analysis File analysis
Attachment: QR code with encoded recipient targeting and redirect indicators	Sublime Security	2mo ago Jan 30th, 2026	Credential Phishing QR code Evasion Image as content Open redirect Archive analysis File analysis QR code analysis URL analysis
Attachment: QR code with suspicious URL patterns in EML file	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Evasion Social engineering Archive analysis File analysis QR code analysis URL analysis
Attachment: RDP connection file	@ajpc500	8mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Archive analysis File analysis
Attachment: RTF file with suspicious link	Sublime Security	9mo ago Jul 23rd, 2025	Credential Phishing Evasion Archive analysis File analysis Sender analysis URL analysis
Attachment soliciting user to enable macros	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Optical Character Recognition Sender analysis
Attachment: SVG file execution	Sublime Security	8mo ago Aug 8th, 2025	Malware/Ransomware Scripting Archive analysis Content analysis File analysis
Attachment: Uncommon compressed file	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Archive analysis File analysis
Attachment: WinRAR CVE-2025-8088 exploitation	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA
Attachment with auto-executing macro (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis Header analysis File analysis Macro analysis OLE analysis Sender analysis
Attachment with auto-opening VBA macro (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Sender analysis
Attachment with encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis
Attachment with macro calling executable	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Macros Archive analysis File analysis
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA
Attachment with VBA macros from employee impersonation (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Impersonation: Employee Macros Social engineering Archive analysis File analysis Macro analysis Sender analysis
Attachment: ZIP file with CVE-2026-0866 exploit	Sublime Security	1mo ago Mar 20th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA
HTML smuggling containing recipient email address	Sublime Security	5mo ago Nov 4th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis
Link: Commonly Abused Web Service redirecting to ZIP file	Sublime Security	1mo ago Mar 10th, 2026	Malware/Ransomware Free file host Free subdomain host Open redirect Evasion URL analysis Whois Archive analysis
Link to auto-downloaded disk image in encrypted zip	@ajpc500	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-downloaded DMG in archive	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis URL analysis
Link to auto-downloaded DMG in encrypted zip	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis Threat intelligence
Malware: Pikabot delivery via URL auto-download	Sublime Security	2y ago Apr 25th, 2024	Malware/Ransomware Evasion Archive analysis File analysis Threat intelligence URL analysis
Non-RFC compliant calendar files from unsolicited sender	Sublime Security	6mo ago Oct 1st, 2025	Evasion Social engineering Archive analysis Content analysis File analysis Sender analysis
QR code to auto-download of a suspicious file type (unsolicited)	Sublime Security	6mo ago Oct 17th, 2025	Malware/Ransomware Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis QR code analysis

98 Rules

Page 2 of 2