Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: HTML with hidden body	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Scripting Content analysis HTML analysis File analysis	/feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781
Attachment: HTML with JavaScript functions for HTTP requests	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Scripting Content analysis HTML analysis Javascript analysis File analysis	/feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd
Attachment: ICS file with non-Gregorian calendar scale	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Evasion File analysis Content analysis	/feeds/core/detection-rules/attachment-ics-file-with-non-gregorian-calendar-scale-9315bbf5
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	2d ago Jan 21st, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis	/feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis	/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Attachment: Link to Doubleclick.net open redirect	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Evasion Open redirect Social engineering Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc
Attachment: LNK with embedded content	@ajpc500	11d ago Jan 12th, 2026	Malware/Ransomware Exploit LNK Scripting Content analysis Exif analysis File analysis	/feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation	@ajpc500	11d ago Jan 12th, 2026	Malware/Ransomware Macros Scripting Content analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0
Attachment: Malicious OneNote commands	@Kyle_Parrish_	11d ago Jan 12th, 2026	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA	/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Attachment: Microsoft 365 credential phishing	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229
Attachment: Office document with VSTO add-in	@vector_sec	11d ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: Office file with credential phishing URLs	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis Archive analysis Content analysis	/feeds/core/detection-rules/attachment-office-file-with-credential-phishing-urls-b2cae98d
Attachment: Office file with document sharing and browser instruction lures	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Evasion Archive analysis File analysis Macro analysis Optical Character Recognition Content analysis	/feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b
Attachment: OLE external relationship containing file scheme link to executable filetype	Sublime Security	2mo ago Nov 24th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4
Attachment: OLE external relationship containing file scheme link to IP address	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c
Attachment: PDF with link to DMG file download	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0
Attachment: PDF with link to zip containing a wsf file	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4
Attachment: PDF with Microsoft Purview message impersonation	Sublime Security	2mo ago Nov 10th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Content analysis	/feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964
Attachment: PDF with personal Microsoft OneNote URL	Sublime Security	1mo ago Dec 4th, 2025	Credential Phishing PDF Social engineering File analysis Content analysis	/feeds/core/detection-rules/attachment-pdf-with-personal-microsoft-onenote-url-0675bbc5
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3
Attachment: Suspicious employee policy update document lure	Sublime Security	28d ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Attachment: Suspicious PDF created with headless browser	Sublime Security	4mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: SVG file execution	Sublime Security	5mo ago Aug 8th, 2025	Malware/Ransomware Scripting Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-svg-file-execution-084b0cde
Attachment: USDA bid invitation impersonation	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: Web files with suspicious comments	Sublime Security	5mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware HTML smuggling Evasion File analysis HTML analysis Content analysis	/feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17
BEC: Employee impersonation with subject manipulation	Sublime Security	7d ago Jan 16th, 2026	BEC/Fraud Impersonation: Employee Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b
BEC/Fraud: Generic scam attempt to undisclosed recipients	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-recipients-5dac401f
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding	/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
BEC/Fraud: Penpal scam	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Free email provider Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/becfraud-penpal-scam-a4bdfa17
BEC/Fraud: Romance scam	Sublime Security	1d ago Jan 22nd, 2026	BEC/Fraud Free email provider Social engineering Content analysis Header analysis	/feeds/core/detection-rules/becfraud-romance-scam-0243cdaa
BEC/Fraud: Scam lure with freemail pivot	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Free email provider Out of band pivot Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/becfraud-scam-lure-with-freemail-pivot-898c769f
BEC/Fraud: Student loan callback phishing	Sublime Security	4mo ago Sep 5th, 2025	BEC/Fraud Free email provider Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0
BEC with unusual reply-to or return-path mismatch	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df
Benefits enrollment impersonation	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Impersonation: Employee Out of band pivot Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Brand impersonation: AARP	Sublime Security	1mo ago Dec 1st, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-aarp-561a7f87
Brand impersonation: Adobe Sign with suspicious indicators	Sublime Security	15d ago Jan 8th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a
Brand impersonation: Adobe with suspicious language and link	Sublime Security	2mo ago Nov 24th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-with-suspicious-language-and-link-32cc8bf1
Brand impersonation: AliExpress	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8
Brand impersonation: Amazon Web Services (AWS)	Sublime Security	3mo ago Oct 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Optical Character Recognition Sender analysis Natural Language Understanding	/feeds/core/detection-rules/brand-impersonation-amazon-web-services-aws-31de94e0
Brand impersonation: Aquent	Sublime Security	3mo ago Oct 9th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-aquent-5074459c
Brand impersonation: Aramco	Sublime Security	2mo ago Nov 20th, 2025	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-aramco-96e87699
Brand impersonation: AuthentiSign	Sublime Security	2d ago Jan 21st, 2026	Credential Phishing BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-authentisign-445a8c8b
Brand impersonation: Binance	Sublime Security	4mo ago Sep 3rd, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-binance-c3302a76
Brand impersonation: Box file sharing service	Sublime Security	4mo ago Sep 23rd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-box-file-sharing-service-03da310c
Brand impersonation: Coinbase with suspicious links	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e
Brand impersonation: Discord notification	Sublime Security	3mo ago Oct 23rd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis	/feeds/core/detection-rules/brand-impersonation-discord-notification-97007826
Brand Impersonation: Disney	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Natural Language Understanding Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-disney-bf90b8fb
Brand impersonation: DocuSign branded attachment lure with no DocuSign links	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL screenshot	/feeds/core/detection-rules/brand-impersonation-docusign-branded-attachment-lure-with-no-docusign-links-814a5694

437 Rules

Page 2 of 9