Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Callback phishing via extensionless rfc822 attachment	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4
Callback phishing via Google Group abuse	Sublime Security	7mo ago Jul 16th, 2025	Callback Phishing Free email provider Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b
Commonly abused sender TLD with engaging language	Sublime Security	7mo ago Aug 7th, 2025	Credential Phishing Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc
Credential phishing: Image as content, short or no body contents	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Image as content Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38
Encrypted Microsoft Office files from untrusted sender	Sublime Security	7mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-sender-eb7b26e7
Extortion / sextortion in attachment from untrusted sender	Sublime Security	7mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis	/feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213
Free subdomain link with login or captcha (untrusted sender)	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Free subdomain host Social engineering Computer Vision File analysis Sender analysis URL screenshot	/feeds/core/detection-rules/free-subdomain-link-with-login-or-captcha-untrusted-sender-93288f82
HTML smuggling containing recipient email address	Sublime Security	4mo ago Nov 4th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Impersonation: Fake Gmail attachment	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Content analysis File analysis Sender analysis	/feeds/core/detection-rules/impersonation-fake-gmail-attachment-0f5a4e14
Impersonation: Recipient organization in sender display name with credential theft image	Sublime Security	21d ago Feb 17th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/impersonation-recipient-organization-in-sender-display-name-with-credential-theft-image-6abfb20e
Link: Direct POWR.io Form Builder with suspicious patterns	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Callback Phishing Social engineering File analysis URL analysis Content analysis	/feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93
Link: Microsoft Dynamics 365 form phishing	Sublime Security	1mo ago Jan 27th, 2026	Credential Phishing Evasion Content analysis File analysis Optical Character Recognition Natural Language Understanding URL analysis URL screenshot	/feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-microsoft-protected-message-with-matching-sender-and-recipient-addresses-a5a2f75d
Link: QR code in EML attachment with credential phishing indicators	Sublime Security	3mo ago Dec 2nd, 2025	Credential Phishing Evasion Open redirect QR code Computer Vision Content analysis File analysis QR code analysis	/feeds/core/detection-rules/link-qr-code-in-eml-attachment-with-credential-phishing-indicators-9908ed3a
Link: QuickBooks image lure with suspicious link	Sublime Security	7mo ago Jul 23rd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition URL analysis	/feeds/core/detection-rules/link-quickbooks-image-lure-with-suspicious-link-3826a923
Link: ScreenConnect installer with suspicious relay domain	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Out of band pivot Social engineering URL analysis File analysis Content analysis	/feeds/core/detection-rules/link-screenconnect-installer-with-suspicious-relay-domain-37d21eef
Link to auto-downloaded disk image in encrypted zip	@ajpc500	1mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in archive	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-archive-dc04cdd8
Link to auto-downloaded DMG in encrypted zip	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Link to auto-downloaded file with Adobe branding	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Impersonation: Brand Social engineering File analysis Optical Character Recognition Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/link-to-auto-downloaded-file-with-adobe-branding-e826c2cf
Link to auto-downloaded file with Google Drive branding	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/link-to-auto-downloaded-file-with-google-drive-branding-4b5343be
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Low reputation link to auto-downloaded HTML file with smuggling indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Free file host Free subdomain host HTML smuggling Impersonation: Brand Open redirect Social engineering Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6
macOS malware: Compiled AppleScript with document double-extension	Sublime Security	1mo ago Feb 5th, 2026	Malware/Ransomware Evasion Social engineering File analysis Header analysis	/feeds/core/detection-rules/macos-malware-compiled-applescript-with-document-double-extension-9669c169
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis Threat intelligence	/feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-in-archive-trusted-reporters-9d734281
MalwareBazaar: Malicious attachment hash (trusted reporters)	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware File analysis Sender analysis Threat intelligence	/feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-trusted-reporters-5b5c9c3e
Malware: Pikabot delivery via URL auto-download	Sublime Security	2y ago Apr 25th, 2024	Malware/Ransomware Evasion Archive analysis File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/malware-pikabot-delivery-via-url-auto-download-f4be4572
Non-RFC compliant calendar files from unsolicited sender	Sublime Security	5mo ago Oct 1st, 2025	Evasion Social engineering Archive analysis Content analysis File analysis Sender analysis	/feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100
Open Redirect: Google domain with /url path and suspicious indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74
Open redirect: typedrawers.com	Sublime Security	9mo ago May 23rd, 2025	Credential Phishing Evasion Open redirect QR code Social engineering Content analysis File analysis QR code analysis Sender analysis	/feeds/core/detection-rules/open-redirect-typedrawerscom-158d9e95
PDF attachment with Google (AE) redirecting to a php or zip file	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Open redirect PDF Content analysis File analysis URL analysis	/feeds/core/detection-rules/pdf-attachment-with-google-ae-redirecting-to-a-php-or-zip-file-57ae513f
QR code to auto-download of a suspicious file type (unsolicited)	Sublime Security	4mo ago Oct 17th, 2025	Malware/Ransomware Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis QR code analysis	/feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2
Request for Quote or Purchase (RFQ\|RFP) with HTML smuggling attachment	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Content analysis File analysis HTML analysis Javascript analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755
Service abuse: Monday.com infrastructure with phishing intent	Sublime Security	17h ago Mar 9th, 2026	Credential Phishing Evasion Social engineering QR code Content analysis File analysis Header analysis QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/service-abuse-mondaycom-infrastructure-with-phishing-intent-a346e3b1
Spam: Unsolicited malformed PDF	Sublime Security	7mo ago Jul 16th, 2025	Spam Evasion Free email provider PDF Content analysis File analysis Sender analysis	/feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031
Stripe invoice abuse	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing PDF File analysis Header analysis	/feeds/core/detection-rules/stripe-invoice-abuse-90162d16
Suspicious attachment: Duplicate decoy PDF files	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion PDF File analysis Optical Character Recognition	/feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7
Suspicious attachment with unscannable Cloudflare link	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding	/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Suspicious invoice reference with missing or image-only attachments	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Content analysis Computer Vision File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/suspicious-invoice-reference-with-missing-or-image-only-attachments-466c1680
Suspicious VBA macros from untrusted sender	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Macros File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
URI protocol handler: search-ms	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion File analysis HTML analysis	/feeds/core/detection-rules/uri-protocol-handler-search-ms-ee27d9c0
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware PDF File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/urlhaus-malicious-domain-in-message-body-or-pdf-attachment-trusted-reporters-cfca2986
X (Twitter) impersonation with credential phishing motives	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/x-twitter-impersonation-with-credential-phishing-motives-0b60dca6

244 Rules

Page 5 of 5