Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Brand impersonation: Square	Sublime Security	3mo ago Oct 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-square-63f9b449
Brand impersonation: TikTok	Sublime Security	2mo ago Oct 30th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7
Brand impersonation: Toronto-Dominion Bank	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-toronto-dominion-bank-2dc16a55
Brand impersonation: UPS	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Sender analysis	/feeds/core/detection-rules/brand-impersonation-ups-73b68869
Brand impersonation: USPS	Sublime Security	3d ago Jan 20th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Brand impersonation: Zoom	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Callback phishing via Adobe Sign comment	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Computer Vision Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-adobe-sign-comment-7eb4516d
Callback phishing via DocuSign comment	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Computer Vision Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-docusign-comment-48aec918
Callback phishing via e-signature service	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Free email provider Impersonation: Brand Social engineering Content analysis Computer Vision Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-e-signature-service-ed37b4fd
Callback phishing via Intuit service abuse	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294
Callback Phishing via Signable E-Signature Request	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Exploit Impersonation: Brand Out of band pivot Social engineering Computer Vision Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-signable-e-signature-request-4599575d
Callback phishing via SignFree e-signature request	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Exploit Impersonation: Brand Out of band pivot Social engineering Computer Vision Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-signfree-e-signature-request-21381c37
Callback phishing via Xodo Sign comment	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Exploit Impersonation: Brand Out of band pivot Social engineering Computer Vision Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-xodo-sign-comment-6f722c5d
Callback phishing via Zoho service abuse	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec
Callback Phishing via Zoom comment	Sublime Security	4mo ago Sep 22nd, 2025	Callback Phishing Out of band pivot Social engineering Impersonation: Brand Computer Vision Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-via-zoom-comment-8ec30881
Cloud storage impersonation with credential theft indicators	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/cloud-storage-impersonation-with-credential-theft-indicators-4c20f72c
Compensation review with QR code in attached EML	Sublime Security	1mo ago Nov 26th, 2025	Credential Phishing QR code Social engineering Computer Vision Content analysis Optical Character Recognition QR code analysis	/feeds/core/detection-rules/compensation-review-with-qr-code-in-attached-eml-98a2f03c
Credential phishing content and link (untrusted sender)	Sublime Security	1mo ago Dec 17th, 2025	Credential Phishing Social engineering Computer Vision Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/credential-phishing-content-and-link-untrusted-sender-f0c95bb7
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/credential-phishing-docusign-embedded-image-lure-with-no-docusign-domains-in-links-dfe8715e
Credential phishing: Image as content, short or no body contents	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Image as content Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38
Credential phishing link (unknown sender)	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Social engineering Computer Vision Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/credential-phishing-link-unknown-sender-a278012b
Credential Phishing via Dropbox comment abuse	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Evasion Out of band pivot Social engineering Content analysis Computer Vision Sender analysis	/feeds/core/detection-rules/credential-phishing-via-dropbox-comment-abuse-744d494d
Extortion / sextortion in attachment from untrusted sender	Sublime Security	5mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c
Free subdomain link with login or captcha (untrusted sender)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free subdomain host Social engineering Computer Vision File analysis Sender analysis URL screenshot	/feeds/core/detection-rules/free-subdomain-link-with-login-or-captcha-untrusted-sender-93288f82
Google Accelerated Mobile Pages (AMP) abuse	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Impersonation: Brand Open redirect Computer Vision Content analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/google-accelerated-mobile-pages-amp-abuse-46907029
Google Drive abuse: Credential phishing link	Sublime Security	2y ago Jul 31st, 2024	Credential Phishing Free file host Impersonation: Brand Computer Vision Natural Language Understanding Optical Character Recognition Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/google-drive-abuse-credential-phishing-link-c74aece0
Link: Credential phishing link with undisclosed recipients	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Computer Vision Header analysis URL screenshot	/feeds/core/detection-rules/link-credential-phishing-link-with-undisclosed-recipients-06fc155e
Link: Credential phishing via WordPress	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Social engineering Free subdomain host URL analysis Header analysis Computer Vision	/feeds/core/detection-rules/link-credential-phishing-via-wordpress-db696058
Link: Figma design deck with credential theft language	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-theft-language-87601924
Link: HR impersonation with suspicious domain indicators and credential theft	Sublime Security	1mo ago Dec 3rd, 2025	Credential Phishing Impersonation: Employee Social engineering Lookalike domain Content analysis Natural Language Understanding Computer Vision URL analysis URL screenshot	/feeds/core/detection-rules/link-hr-impersonation-with-suspicious-domain-indicators-and-credential-theft-f31f8831
Link: Multistage landing - Abused Adobe Acrobat hosted PDF	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Optical Character Recognition URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-acrobat-hosted-pdf-609081ef
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Link: Multistage landing - Ludus presentation	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Social engineering Impersonation: Brand Header analysis URL analysis Computer Vision URL screenshot Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311
Link: Multistage landing - Scribd document	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d
Link: QR code in EML attachment with credential phishing indicators	Sublime Security	1mo ago Dec 2nd, 2025	Credential Phishing Evasion Open redirect QR code Computer Vision Content analysis File analysis QR code analysis	/feeds/core/detection-rules/link-qr-code-in-eml-attachment-with-credential-phishing-indicators-9908ed3a
Link: QR code with phishing disposition in img or pdf	Sublime Security	5mo ago Jul 30th, 2025	Credential Phishing QR code Social engineering Content analysis Computer Vision QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-qr-code-with-phishing-disposition-in-img-or-pdf-8e8949f6
Link: QR Code with suspicious language (untrusted sender)	Sublime Security	5mo ago Jul 30th, 2025	Credential Phishing Impersonation: Brand QR code Social engineering Content analysis Computer Vision Natural Language Understanding QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-qr-code-with-suspicious-language-untrusted-sender-25a84d1c
Link: QuickBooks image lure with suspicious link	Sublime Security	6mo ago Jul 23rd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition URL analysis	/feeds/core/detection-rules/link-quickbooks-image-lure-with-suspicious-link-3826a923
Open Redirect: Google domain with /url path and suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74
QR Code with suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing QR code Social engineering Content analysis Header analysis Computer Vision Natural Language Understanding QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/qr-code-with-suspicious-indicators-04f5c34f
Service abuse: Formester with suspicious link behavior	Sublime Security	1mo ago Dec 19th, 2025	Credential Phishing BEC/Fraud Open redirect Social engineering Free file host Computer Vision Content analysis URL analysis URL screenshot	/feeds/core/detection-rules/service-abuse-formester-with-suspicious-link-behavior-e4b74fd4
Spam: Mastercard promotional content with image-based body	Sublime Security	2mo ago Nov 5th, 2025	Credential Phishing Spam Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/spam-mastercard-promotional-content-with-image-based-body-5f2cb559
Suspicious invoice reference with missing or image-only attachments	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Content analysis Computer Vision File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/suspicious-invoice-reference-with-missing-or-image-only-attachments-466c1680
Suspicious recipient pattern and language with low reputation link to login	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/suspicious-recipient-pattern-and-language-with-low-reputation-link-to-login-a8ea0402
Suspicious recipients pattern with no Compauth pass and suspicious content	Sublime Security	11d ago Jan 12th, 2026	Content analysis Computer Vision Header analysis Natural Language Understanding URL analysis URL screenshot	/feeds/core/detection-rules/suspicious-recipients-pattern-with-no-compauth-pass-and-suspicious-content-34fb65f6
X (Twitter) impersonation with credential phishing motives	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/x-twitter-impersonation-with-credential-phishing-motives-0b60dca6

96 Rules

Page 2 of 2