Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Link to auto-downloaded DMG in encrypted zip	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Link to auto-downloaded file with Adobe branding	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Impersonation: Brand Social engineering File analysis Optical Character Recognition Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/link-to-auto-downloaded-file-with-adobe-branding-e826c2cf
Link to auto-downloaded file with Google Drive branding	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/link-to-auto-downloaded-file-with-google-drive-branding-4b5343be
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Low reputation link to auto-downloaded HTML file with smuggling indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Free file host Free subdomain host HTML smuggling Impersonation: Brand Open redirect Social engineering Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis Threat intelligence	/feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-in-archive-trusted-reporters-9d734281
MalwareBazaar: Malicious attachment hash (trusted reporters)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware File analysis Sender analysis Threat intelligence	/feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-trusted-reporters-5b5c9c3e
Malware: Pikabot delivery via URL auto-download	Sublime Security	2y ago Apr 25th, 2024	Malware/Ransomware Evasion Archive analysis File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/malware-pikabot-delivery-via-url-auto-download-f4be4572
Non-RFC compliant calendar files from unsolicited sender	Sublime Security	3mo ago Oct 1st, 2025	Evasion Social engineering Archive analysis Content analysis File analysis Sender analysis	/feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100
Open Redirect: Google domain with /url path and suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74
Open redirect: typedrawers.com	Sublime Security	8mo ago May 23rd, 2025	Credential Phishing Evasion Open redirect QR code Social engineering Content analysis File analysis QR code analysis Sender analysis	/feeds/core/detection-rules/open-redirect-typedrawerscom-158d9e95
PDF attachment with Google (AE) redirecting to a php or zip file	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Open redirect PDF Content analysis File analysis URL analysis	/feeds/core/detection-rules/pdf-attachment-with-google-ae-redirecting-to-a-php-or-zip-file-57ae513f
QR code to auto-download of a suspicious file type (unsolicited)	Sublime Security	3mo ago Oct 17th, 2025	Malware/Ransomware Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis QR code analysis	/feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2
Request for Quote or Purchase (RFQ\|RFP) with HTML smuggling attachment	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Content analysis File analysis HTML analysis Javascript analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755
Service abuse: Monday.com infrastructure with phishing intent	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Social engineering QR code Content analysis File analysis Header analysis QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/service-abuse-mondaycom-infrastructure-with-phishing-intent-a346e3b1
Spam: Unsolicited malformed PDF	Sublime Security	6mo ago Jul 16th, 2025	Spam Evasion Free email provider PDF Content analysis File analysis Sender analysis	/feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031
Stripe invoice abuse	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Callback Phishing PDF File analysis Header analysis	/feeds/core/detection-rules/stripe-invoice-abuse-90162d16
Suspicious attachment: Duplicate decoy PDF files	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion PDF File analysis Optical Character Recognition	/feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7
Suspicious attachment with unscannable Cloudflare link	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding	/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Suspicious invoice reference with missing or image-only attachments	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Content analysis Computer Vision File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/suspicious-invoice-reference-with-missing-or-image-only-attachments-466c1680
Suspicious VBA macros from untrusted sender	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Macros File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
URI protocol handler: search-ms	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion File analysis HTML analysis	/feeds/core/detection-rules/uri-protocol-handler-search-ms-ee27d9c0
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware PDF File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/urlhaus-malicious-domain-in-message-body-or-pdf-attachment-trusted-reporters-cfca2986
X (Twitter) impersonation with credential phishing motives	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/x-twitter-impersonation-with-credential-phishing-motives-0b60dca6

224 Rules

Page 5 of 5