Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD	Sublime Security	10d ago Apr 14th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Anthropic Magic String in HTML	Sublime Security	2mo ago Feb 9th, 2026	Malware/Ransomware Exploit Content analysis
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	3mo ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis
Attachment: Base64 encoded bash command in filename	@vector_sec	7mo ago Sep 5th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Content analysis
Attachment: Calendar file with invisible Unicode characters	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Malware/Ransomware Evasion File analysis Content analysis
Attachment: Calendar invite with suspicious link leading to an open redirect	Sublime Security	9mo ago Jul 16th, 2025	Spam Free email provider Free file host Free subdomain host Open redirect Content analysis URL analysis
Attachment: Callback phishing solicitation via image file	@vector_sec	3mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision
Attachment: Callback phishing solicitation via text-based file	Sublime Security	7mo ago Sep 22nd, 2025	Callback Phishing Evasion Out of band pivot Social engineering Content analysis File analysis Header analysis Sender analysis
Attachment: Cold outreach with invitation subject and not attachment	Sublime Security	21d ago Apr 3rd, 2026	Spam Social engineering Image as content Content analysis Natural Language Understanding File analysis
Attachment: Credit card application with WhatsApp contact	Sublime Security	5mo ago Nov 20th, 2025	BEC/Fraud Social engineering Out of band pivot Content analysis File analysis Natural Language Understanding QR code analysis
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Exploit Macros Scripting Archive analysis Content analysis File analysis Macro analysis OLE analysis
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Exploit Content analysis File analysis
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability	Sublime Security	1y ago Mar 21st, 2025	Credential Phishing Scripting Macros Exploit Archive analysis Content analysis File analysis
Attachment: Decoy PDF author (Julie P.)	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand PDF File analysis Content analysis Sender analysis
Attachment: DocX embedded binary	Sublime Security	8mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis YARA
Attachment: Double base64-encoded zip file in HTML smuggling attachment	@ajpc500	8mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: Dropbox image lure with no Dropbox domains in links	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	8mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis
Attachment: EML with link to credential phishing page	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot
Attachment: EML with SharePoint files shared from GoDaddy federated tenants	Sublime Security	7mo ago Sep 23rd, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering File analysis URL analysis Content analysis
Attachment: EML with suspicious indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis
Attachment: Emotet heavily padded doc in zip file	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis Exif analysis File analysis Sender analysis
Attachment: Employment contract update with suspicious file naming	Sublime Security	2mo ago Jan 28th, 2026	Malware/Ransomware Evasion Social engineering Content analysis File analysis
Attachment: Encrypted PDF with credential theft body	Sublime Security	15d ago Apr 9th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Encrypted zip file with payment-related lure	Sublime Security	5mo ago Nov 25th, 2025	BEC/Fraud Malware/Ransomware Encryption Evasion Social engineering Archive analysis Content analysis File analysis
Attachment: Excel file with document sharing lure created by Go Excelize	Sublime Security	2mo ago Jan 29th, 2026	Credential Phishing Macros Social engineering File analysis Macro analysis Content analysis Exif analysis
Attachment: Fake lawyer & sports agent identities	Sublime Security	2mo ago Jan 26th, 2026	BEC/Fraud Impersonation: VIP Social engineering Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: Fake scan-to-email	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Fake secure message and suspicious indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Fake voicemail via PDF	Sublime Security	10d ago Apr 14th, 2026	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	7mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis
Attachment: Finance themed PDF with observed phishing template	Sublime Security	1mo ago Mar 2nd, 2026	Credential Phishing PDF Evasion File analysis Content analysis
Attachment: HTML attachment with Javascript location	@vector_sec	8mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts	Sublime Security	5mo ago Nov 3rd, 2025	Malware/Ransomware Credential Phishing HTML smuggling Scripting Evasion HTML analysis File analysis Content analysis
Attachment: HTML file with reference to recipient and suspicious patterns	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling Microsoft sign in	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with atob and high entropy	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with auto-downloaded file	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with base64 encoded JavaScript function	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with base64 encoded ZIP file	Sublime Security	5mo ago Nov 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with concatenation obfuscation	@vector_sec	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with decimal encoding	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with embedded base64-encoded ISO	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling ISO Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: HTML smuggling with embedded base64 streamed file download	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware HTML smuggling Scripting Social engineering Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with eval and atob	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with fromCharCode and other signals	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis

521 Rules

Page 1 of 11