Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jun 8th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with fromCharCode and other signals	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML smuggling with hex strings	@ajpc500	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with high entropy and other signals	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with raw array buffer	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Free subdomain host HTML smuggling Archive analysis Content analysis File analysis Javascript analysis
Attachment: HTML smuggling with RC4 decryption	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with ROT13	@Kyle_Parrish_	4mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML smuggling with setTimeout	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML with hidden body	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Evasion Scripting Content analysis HTML analysis File analysis
Attachment: HTML with JavaScript functions for HTTP requests	Sublime Security	10mo ago Aug 5th, 2025	Credential Phishing Evasion Scripting Content analysis HTML analysis Javascript analysis File analysis
Attachment: ICS calendar file with base64 encoded recipient address in URL parameters	Sublime Security	27d ago May 12th, 2026	Credential Phishing Evasion Social engineering ICS Phishing File analysis URL analysis Content analysis
Attachment: ICS calendar file with QR code containing recipient email address	Sublime Security	1mo ago Apr 20th, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Content analysis
Attachment: ICS calendar file with recipient address in UID field	Sublime Security	1mo ago Apr 20th, 2026	Credential Phishing Social engineering File analysis Content analysis
Attachment: ICS calendar file with suspicious product identifier	Sublime Security	10d ago May 29th, 2026	Credential Phishing Evasion Social engineering ICS Phishing File analysis Content analysis
Attachment: ICS file with AWS Lambda URL	Sublime Security	1mo ago Apr 28th, 2026	Credential Phishing Malware/Ransomware Evasion Free file host ICS Phishing Content analysis File analysis URL analysis
Attachment: ICS file with excessive custom properties	Sublime Security	6d ago Jun 2nd, 2026	Malware/Ransomware Evasion ICS Phishing File analysis Content analysis
Attachment: ICS file with non-Gregorian calendar scale	Sublime Security	1mo ago Apr 28th, 2026	Credential Phishing Evasion ICS Phishing File analysis Content analysis
Attachment: ICS with employee policy review lure	Sublime Security	1mo ago Apr 28th, 2026	Credential Phishing BEC/Fraud Evasion ICS Phishing Social engineering File analysis Content analysis
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	4mo ago Jan 21st, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	2mo ago Apr 3rd, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: Link to Doubleclick.net open redirect	Sublime Security	1mo ago Apr 29th, 2026	BEC/Fraud Credential Phishing Evasion Open redirect Social engineering Content analysis File analysis URL analysis
Attachment: LNK with embedded content	@ajpc500	4mo ago Jan 12th, 2026	Malware/Ransomware Exploit LNK Scripting Content analysis Exif analysis File analysis
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation	@ajpc500	4mo ago Jan 12th, 2026	Malware/Ransomware Macros Scripting Content analysis File analysis Macro analysis
Attachment: Malicious OneNote commands	@Kyle_Parrish_	4mo ago Jan 12th, 2026	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA
Attachment: Microsoft 365 credential phishing	Sublime Security	3d ago Jun 5th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis
Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links	Sublime Security	7d ago Jun 1st, 2026	Credential Phishing Impersonation: Brand Evasion PDF File analysis URL analysis Content analysis
Attachment: Office document with VSTO add-in	@vector_sec	4mo ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis
Attachment: Office file with credential phishing URLs	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis Archive analysis Content analysis
Attachment: Office file with document sharing and browser instruction lures	Sublime Security	4mo ago Jan 29th, 2026	Credential Phishing Social engineering Evasion Archive analysis File analysis Macro analysis Optical Character Recognition Content analysis
Attachment: OLE external relationship containing file scheme link to executable filetype	Sublime Security	6mo ago Nov 24th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis
Attachment: OLE external relationship containing file scheme link to IP address	Sublime Security	4mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis
Attachment: PDF bid/proposal lure with credential theft indicators	Sublime Security	2mo ago Mar 27th, 2026	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Attachment: PDF with a suspicious string and single URL	Sublime Security	4d ago Jun 4th, 2026	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with credential theft language and invalid reply-to domain	Sublime Security	1mo ago Apr 10th, 2026	Credential Phishing PDF Social engineering Spoofing File analysis Header analysis Natural Language Understanding Content analysis
Attachment: PDF with link to DMG file download	Sublime Security	4mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with link to zip containing a wsf file	Sublime Security	4mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with Microsoft Purview message impersonation	Sublime Security	7mo ago Nov 10th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Content analysis
Attachment: PDF with password in filename matching body text	Sublime Security	3mo ago Feb 19th, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF Content analysis File analysis
Attachment: PDF with personal Microsoft OneNote URL	Sublime Security	6mo ago Dec 4th, 2025	Credential Phishing PDF Social engineering File analysis Content analysis
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	21d ago May 18th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	3mo ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Suspicious employee policy update document lure	Sublime Security	5mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Suspicious PDF created with headless browser	Sublime Security	1mo ago May 7th, 2026	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: SVG file execution	Sublime Security	10mo ago Aug 8th, 2025	Malware/Ransomware Scripting Archive analysis Content analysis File analysis
Attachment: SVG file with HTML entity encoded href attributes	Sublime Security	19d ago May 20th, 2026	Malware/Ransomware Credential Phishing Evasion HTML smuggling File analysis Content analysis
Attachment: SVG file with hyperlinks and cursor styling	Sublime Security	19d ago May 20th, 2026	Credential Phishing Evasion Image as content File analysis XML analysis Content analysis
Attachment: USDA bid invitation impersonation	Sublime Security	10mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Web files with suspicious comments	Sublime Security	10mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware HTML smuggling Evasion File analysis HTML analysis Content analysis
BEC: Employee impersonation with subject manipulation	Sublime Security	4mo ago Jan 16th, 2026	BEC/Fraud Impersonation: Employee Social engineering Content analysis Natural Language Understanding Sender analysis

553 Rules

Page 2 of 12