Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jun 29th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Callback phishing solicitation via pdf file	Sublime Security	25d ago Jun 5th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Attachment: Canva PDF with susupicious author metadata	Sublime Security	25d ago Jun 5th, 2026	BEC/Fraud Credential Phishing Free email provider PDF Exif analysis File analysis
Attachment: Compensation-themed DOCX with QR code credential theft	Sublime Security	1mo ago May 29th, 2026	Credential Phishing QR code Social engineering Impersonation: Brand File analysis Optical Character Recognition QR code analysis Natural Language Understanding Exif analysis Content analysis
Attachment: Emotet heavily padded doc in zip file	Sublime Security	11mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis Exif analysis File analysis Sender analysis
Attachment: Encrypted PDF with credential theft body	Sublime Security	13d ago Jun 17th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Excel file with document sharing lure created by Go Excelize	Sublime Security	5mo ago Jan 29th, 2026	Credential Phishing Macros Social engineering File analysis Macro analysis Content analysis Exif analysis
Attachment: Excel file with suspicious template identifier	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Evasion Macros Exif analysis File analysis
Attachment: Fake lawyer & sports agent identities	Sublime Security	5mo ago Jan 26th, 2026	BEC/Fraud Impersonation: VIP Social engineering Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	9mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	4d ago Jun 26th, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis
Attachment: JPEG with gd-jpeg creator and suspicious file name	Sublime Security	18d ago Jun 12th, 2026	Credential Phishing Evasion File analysis Exif analysis
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	2mo ago Apr 3rd, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: LNK with embedded content	@ajpc500	5mo ago Jan 12th, 2026	Malware/Ransomware Exploit LNK Scripting Content analysis Exif analysis File analysis
Attachment: MS OOXML file created by Administrator with zero edit time	Sublime Security	18d ago Jun 12th, 2026	Malware/Ransomware Evasion Exif analysis File analysis
Attachment: Office document with VSTO add-in	@vector_sec	5mo ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis
Attachment: Password-protected PDF with fake document indicators	Sublime Security	5mo ago Jan 21st, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF File analysis YARA Exif analysis
Attachment: PDF Attachment with links to workers.dev	Sublime Security	26d ago Jun 4th, 2026	Credential Phishing PDF Free subdomain host Evasion File analysis Exif analysis URL analysis
Attachment: PDF bid/proposal lure with credential theft indicators	Sublime Security	3mo ago Mar 27th, 2026	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	5mo ago Jan 12th, 2026	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis
Attachment: PDF generated with wkhtmltopdf tool and default title	Sublime Security	6mo ago Dec 19th, 2025	BEC/Fraud Callback Phishing Credential Phishing Malware/Ransomware PDF Evasion File analysis Exif analysis
Attachment: PDF with a suspicious string and single URL	Sublime Security	13d ago Jun 17th, 2026	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with localhost IP in EXIF title metadata	Sublime Security	11h ago Jun 29th, 2026	Credential Phishing Malware/Ransomware PDF Evasion Exif analysis File analysis Sender analysis
Attachment: PDF with ReportLab library and default metadata	Sublime Security	4mo ago Feb 27th, 2026	Credential Phishing PDF Evasion File analysis Exif analysis
Attachment: PDF with self-service platform links with self sender or blank recipients	Sublime Security	20d ago Jun 10th, 2026	BEC/Fraud Credential Phishing PDF Evasion Free file host File analysis Exif analysis URL analysis Sender analysis
Attachment: PDF with specific author metadata	Sublime Security	29d ago Jun 1st, 2026	Credential Phishing PDF Exif analysis File analysis
Attachment: PDF with suspicious HeadlessChrome metadata	Sublime Security	1mo ago May 1st, 2026	Credential Phishing Malware/Ransomware Evasion PDF File analysis Exif analysis
Attachment: PowerPoint with suspicious hyperlink	Sublime Security	5mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Exif analysis File analysis
Attachment: Suspicious PDF created with headless browser	Sublime Security	1mo ago May 7th, 2026	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: XLSX file with suspicious print titles metadata	Sublime Security	9mo ago Sep 16th, 2025	Credential Phishing Evasion Macros File analysis Exif analysis
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	1mo ago May 4th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis
Callback phishing: Social Security Administration fraud	Sublime Security	5mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Link: Credential harvesting with excess padding evasion	Sublime Security	15d ago Jun 15th, 2026	Credential Phishing Evasion Social engineering Content analysis HTML analysis Exif analysis URL screenshot
Spam: Item giveaway spam template	Sublime Security	10mo ago Aug 5th, 2025	Spam Image as content Content analysis HTML analysis Sender analysis Exif analysis

33 Rules