Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: RDP connection file	@ajpc500	7mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Archive analysis File analysis	/feeds/core/detection-rules/attachment-rdp-connection-file-2409a422
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	4mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3
Attachment: RTF file with suspicious link	Sublime Security	7mo ago Jul 23rd, 2025	Credential Phishing Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa
Attachment: RTF with embedded content	@amitchell516	2y ago Feb 26th, 2024	Malware/Ransomware Evasion File analysis YARA	/feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	26d ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c
Attachment: SFX archive containing commands	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting File analysis	/feeds/core/detection-rules/attachment-sfx-archive-containing-commands-343e6c8c
Attachment: Small text file with link containing recipient email address	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis	/feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d
Attachment: Soda PDF producer with encryption themes	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing PDF Social engineering File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4
Attachment soliciting user to enable macros	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment: Suspicious employee policy update document lure	Sublime Security	2mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Attachment: Suspicious PDF created with headless browser	Sublime Security	5mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: SVG file execution	Sublime Security	7mo ago Aug 8th, 2025	Malware/Ransomware Scripting Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-svg-file-execution-084b0cde
Attachment: SVG files with evasion elements	Sublime Security	7mo ago Aug 8th, 2025	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60
Attachment: Uncommon compressed file	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Archive analysis File analysis	/feeds/core/detection-rules/attachment-uncommon-compressed-file-0c6fba7a
Attachment: USDA bid invitation impersonation	Sublime Security	7mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: Web files with suspicious comments	Sublime Security	7mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware HTML smuggling Evasion File analysis HTML analysis Content analysis	/feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17
Attachment: WinRAR CVE-2025-8088 exploitation	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b
Attachment with auto-executing macro (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis Header analysis File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment with auto-opening VBA macro (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with encrypted zip (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment with high risk VBA macro (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Macros File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment with macro calling executable	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Macros Archive analysis File analysis	/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment with suspicious author (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-suspicious-author-unsolicited-40f518b9
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment with VBA macros from employee impersonation (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Impersonation: Employee Macros Social engineering Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Attachment: XLSX file with suspicious print titles metadata	Sublime Security	5mo ago Sep 16th, 2025	Credential Phishing Evasion Macros File analysis Exif analysis	/feeds/core/detection-rules/attachment-xlsx-file-with-suspicious-print-titles-metadata-4c265cbe
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding	/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
Brand impersonation: Amazon with suspicious attachment	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9
Brand impersonation: Chase bank with credential phishing indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-chase-bank-with-credential-phishing-indicators-d9577856
Brand impersonation: Coinbase with suspicious links	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	4mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7
Brand impersonation: Dropbox	Sublime Security	26d ago Feb 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Brand impersonation: Google fake sign-in warning	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee
Brand impersonation: Microsoft fake sign-in alert	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/brand-impersonation-microsoft-fake-sign-in-alert-3f4c9e7a
Brand impersonation: Microsoft quarantine release notification in body	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-body-6d19527c
Brand impersonation: Microsoft quarantine release notification in image attachment	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Free file host Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-image-attachment-185db6b3
Brand impersonation: Microsoft Teams	Sublime Security	2y ago Dec 3rd, 2024	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-teams-9cd53055
Brand impersonation: Microsoft with low reputation links	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: Norton	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Free email provider Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-norton-32bd9efd
Brand Impersonation: PayPal	Sublime Security	25d ago Feb 13th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-paypal-a6b2ceee
Brand impersonation: Proofpoint secure messaging without legitimate indicators	Sublime Security	3mo ago Nov 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-proofpoint-secure-messaging-without-legitimate-indicators-84b72d02
Brand impersonation: Sharepoint	Sublime Security	1mo ago Jan 10th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-sharepoint-284b1b70
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	4mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-unsolicited-sender-57eccc45
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Callback phishing in body or attachment (untrusted sender)	Sublime Security	1mo ago Jan 22nd, 2026	Callback Phishing Out of band pivot Social engineering Content analysis File analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94
Callback phishing: Social Security Administration fraud	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Callback phishing solicitation in message body	Sublime Security	4mo ago Oct 17th, 2025	Callback Phishing Free email provider Impersonation: Brand Out of band pivot Social engineering File analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-solicitation-in-message-body-10a3a446
Callback phishing via calendar invite	Sublime Security	1mo ago Jan 22nd, 2026	Callback Phishing Social engineering Evasion File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360

244 Rules

Page 4 of 5