Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment with auto-executing macro (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis Header analysis File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment with auto-opening VBA macro (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with encrypted zip (unsolicited)	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment with high risk VBA macro (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Macros File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment with macro calling executable	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion Macros Archive analysis File analysis	/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment with suspicious author (unsolicited)	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-suspicious-author-unsolicited-40f518b9
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment with VBA macros from employee impersonation (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Impersonation: Employee Macros Social engineering Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Attachment: XLSX file with suspicious print titles metadata	Sublime Security	4mo ago Sep 16th, 2025	Credential Phishing Evasion Macros File analysis Exif analysis	/feeds/core/detection-rules/attachment-xlsx-file-with-suspicious-print-titles-metadata-4c265cbe
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding	/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
Brand impersonation: Amazon with suspicious attachment	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9
Brand impersonation: Chase bank with credential phishing indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-chase-bank-with-credential-phishing-indicators-d9577856
Brand impersonation: Coinbase with suspicious links	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7
Brand impersonation: Dropbox	Sublime Security	1d ago Jan 22nd, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Brand impersonation: Google fake sign-in warning	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee
Brand impersonation: Microsoft fake sign-in alert	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/brand-impersonation-microsoft-fake-sign-in-alert-3f4c9e7a
Brand impersonation: Microsoft quarantine release notification in body	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-body-6d19527c
Brand impersonation: Microsoft quarantine release notification in image attachment	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Free file host Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-image-attachment-185db6b3
Brand impersonation: Microsoft Teams	Sublime Security	2y ago Dec 3rd, 2024	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-teams-9cd53055
Brand impersonation: Microsoft with low reputation links	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: Norton	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free email provider Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-norton-32bd9efd
Brand Impersonation: PayPal	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-paypal-a6b2ceee
Brand impersonation: Proofpoint secure messaging without legitimate indicators	Sublime Security	2mo ago Nov 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-proofpoint-secure-messaging-without-legitimate-indicators-84b72d02
Brand impersonation: Sharepoint	Sublime Security	13d ago Jan 10th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-sharepoint-284b1b70
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	2mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	6mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-unsolicited-sender-57eccc45
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Callback phishing in body or attachment (untrusted sender)	Sublime Security	1d ago Jan 22nd, 2026	Callback Phishing Out of band pivot Social engineering Content analysis File analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94
Callback phishing: Social Security Administration fraud	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Callback phishing solicitation in message body	Sublime Security	3mo ago Oct 17th, 2025	Callback Phishing Free email provider Impersonation: Brand Out of band pivot Social engineering File analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-solicitation-in-message-body-10a3a446
Callback phishing via calendar invite	Sublime Security	1d ago Jan 22nd, 2026	Callback Phishing Social engineering Evasion File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360
Callback phishing via extensionless rfc822 attachment	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4
Callback phishing via Google Group abuse	Sublime Security	6mo ago Jul 16th, 2025	Callback Phishing Free email provider Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b
Commonly abused sender TLD with engaging language	Sublime Security	5mo ago Aug 7th, 2025	Credential Phishing Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc
Credential phishing: Image as content, short or no body contents	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Image as content Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38
Encrypted Microsoft Office files from untrusted sender	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Extortion / sextortion in attachment from untrusted sender	Sublime Security	5mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	11mo ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis	/feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213
Free subdomain link with login or captcha (untrusted sender)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free subdomain host Social engineering Computer Vision File analysis Sender analysis URL screenshot	/feeds/core/detection-rules/free-subdomain-link-with-login-or-captcha-untrusted-sender-93288f82
HTML smuggling containing recipient email address	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Impersonation: Fake Gmail attachment	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Content analysis File analysis Sender analysis	/feeds/core/detection-rules/impersonation-fake-gmail-attachment-0f5a4e14
Link: Direct POWR.io Form Builder with suspicious patterns	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Callback Phishing Social engineering File analysis URL analysis Content analysis	/feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93
Link: Microsoft Dynamics 365 form phishing	Sublime Security	1mo ago Dec 5th, 2025	Credential Phishing Evasion Content analysis File analysis Optical Character Recognition Natural Language Understanding URL analysis URL screenshot	/feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-microsoft-protected-message-with-matching-sender-and-recipient-addresses-a5a2f75d
Link: QR code in EML attachment with credential phishing indicators	Sublime Security	1mo ago Dec 2nd, 2025	Credential Phishing Evasion Open redirect QR code Computer Vision Content analysis File analysis QR code analysis	/feeds/core/detection-rules/link-qr-code-in-eml-attachment-with-credential-phishing-indicators-9908ed3a
Link: QuickBooks image lure with suspicious link	Sublime Security	6mo ago Jul 23rd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition URL analysis	/feeds/core/detection-rules/link-quickbooks-image-lure-with-suspicious-link-3826a923
Link: ScreenConnect installer with suspicious relay domain	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion Out of band pivot Social engineering URL analysis File analysis Content analysis	/feeds/core/detection-rules/link-screenconnect-installer-with-suspicious-relay-domain-37d21eef
Link to auto-downloaded disk image in encrypted zip	@ajpc500	11d ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in archive	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-archive-dc04cdd8

224 Rules

Page 4 of 5