Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Brand impersonation: Coinbase with suspicious links	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	6mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis
Brand impersonation: Dropbox	Sublime Security	2mo ago Feb 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis
Brand impersonation: Google fake sign-in warning	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition Sender analysis URL analysis
Brand impersonation: Microsoft fake sign-in alert	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis Whois
Brand impersonation: Microsoft quarantine release notification in body	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Sender analysis
Brand impersonation: Microsoft quarantine release notification in image attachment	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Free file host Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Brand impersonation: Microsoft Teams	Sublime Security	2y ago Dec 3rd, 2024	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition Sender analysis
Brand impersonation: Microsoft with low reputation links	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Brand impersonation: Norton	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free email provider Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis
Brand Impersonation: PayPal	Sublime Security	25d ago Mar 30th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis
Brand impersonation: Proofpoint secure messaging without legitimate indicators	Sublime Security	5mo ago Nov 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis URL analysis
Brand impersonation: Sharepoint	Sublime Security	3mo ago Jan 10th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Sender analysis
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	5mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	9mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	3mo ago Jan 12th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis
Callback phishing in body or attachment (untrusted sender)	Sublime Security	28d ago Mar 27th, 2026	Callback Phishing Out of band pivot Social engineering Content analysis File analysis Optical Character Recognition Natural Language Understanding Sender analysis
Callback phishing: Social Security Administration fraud	Sublime Security	3mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Callback phishing solicitation in message body	Sublime Security	6mo ago Oct 17th, 2025	Callback Phishing Free email provider Impersonation: Brand Out of band pivot Social engineering File analysis Sender analysis
Callback phishing via calendar invite	Sublime Security	3mo ago Jan 22nd, 2026	Callback Phishing Social engineering Evasion File analysis Header analysis Natural Language Understanding Sender analysis
Callback phishing via extensionless rfc822 attachment	Sublime Security	3mo ago Jan 12th, 2026	Callback Phishing Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Callback phishing via Google Group abuse	Sublime Security	9mo ago Jul 16th, 2025	Callback Phishing Free email provider Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Commonly abused sender TLD with engaging language	Sublime Security	8mo ago Aug 7th, 2025	Credential Phishing Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Credential phishing: Image as content, short or no body contents	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Image as content Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition
Encrypted Microsoft Office files from untrusted sender	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis
Extortion / sextortion in attachment from untrusted sender	Sublime Security	8mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis
Free subdomain link with login or captcha (untrusted sender)	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host Social engineering Computer Vision File analysis Sender analysis URL screenshot
HTML smuggling containing recipient email address	Sublime Security	5mo ago Nov 4th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis
Impersonation: Fake Gmail attachment	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Content analysis File analysis Sender analysis
Impersonation: Recipient organization in sender display name with credential theft image	Sublime Security	2mo ago Feb 17th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Link: Direct POWR.io Form Builder with suspicious patterns	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Callback Phishing Social engineering File analysis URL analysis Content analysis
Link: Microsoft Dynamics 365 form phishing	Sublime Security	2mo ago Jan 27th, 2026	Credential Phishing Evasion Content analysis File analysis Optical Character Recognition Natural Language Understanding URL analysis URL screenshot
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis
Link: QR code in EML attachment with credential phishing indicators	Sublime Security	4mo ago Dec 2nd, 2025	Credential Phishing Evasion Open redirect QR code Computer Vision Content analysis File analysis QR code analysis
Link: QuickBooks image lure with suspicious link	Sublime Security	9mo ago Jul 23rd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition URL analysis
Link: ScreenConnect installer with suspicious relay domain	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Out of band pivot Social engineering URL analysis File analysis Content analysis
Link to auto-downloaded disk image in encrypted zip	@ajpc500	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-downloaded DMG in archive	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis URL analysis
Link to auto-downloaded DMG in encrypted zip	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-downloaded file with Adobe branding	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Impersonation: Brand Social engineering File analysis Optical Character Recognition Sender analysis URL analysis URL screenshot
Link to auto-downloaded file with Google Drive branding	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition URL analysis URL screenshot
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Low reputation link to auto-downloaded HTML file with smuggling indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Free file host Free subdomain host HTML smuggling Impersonation: Brand Open redirect Social engineering Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
macOS malware: Compiled AppleScript with document double-extension	Sublime Security	2mo ago Feb 5th, 2026	Malware/Ransomware Evasion Social engineering File analysis Header analysis
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis Threat intelligence
MalwareBazaar: Malicious attachment hash (trusted reporters)	Sublime Security	29d ago Mar 26th, 2026	Malware/Ransomware File analysis Sender analysis Threat intelligence
Malware: Pikabot delivery via URL auto-download	Sublime Security	2y ago Apr 25th, 2024	Malware/Ransomware Evasion Archive analysis File analysis Threat intelligence URL analysis
Non-RFC compliant calendar files from unsolicited sender	Sublime Security	6mo ago Oct 1st, 2025	Evasion Social engineering Archive analysis Content analysis File analysis Sender analysis
Open Redirect: Google domain with /url path and suspicious indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis

264 Rules

Page 5 of 6