Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains	Sublime Security	4mo ago Dec 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis Header analysis Sender analysis URL analysis
Brand impersonation: File sharing notification with template artifacts	Sublime Security	3mo ago Jan 23rd, 2026	Credential Phishing Impersonation: Brand Social engineering Evasion HTML analysis Computer Vision Content analysis Header analysis
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification	Sublime Security	4mo ago Dec 10th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis
Brand impersonation: Microsoft Teams invitation	Sublime Security	2mo ago Feb 6th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis URL analysis
Brand impersonation: Paperless Post	Sublime Security	5mo ago Nov 6th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Content analysis Header analysis HTML analysis Sender analysis URL analysis
Brand impersonation: Zoom	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis
Brand impersonation: Zoom via HTML styling	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	3mo ago Jan 12th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis
Canva design with suspicious embedded link	Sublime Security	6mo ago Sep 29th, 2025	Credential Phishing Evasion Social engineering Free file host HTML analysis URL analysis Natural Language Understanding Sender analysis
Credential phishing: Blue button styled link with file-sharing template artifacts	Sublime Security	1mo ago Mar 9th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis URL analysis
Credential phishing: Suspicious e-sign agreement document notification	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Social engineering Content analysis Header analysis HTML analysis URL analysis Sender analysis
Credential Phishing: W-2 lure with inline SVG Windows logo	Sublime Security	16d ago Apr 8th, 2026	Credential Phishing Evasion HTML smuggling Social engineering Content analysis HTML analysis
Credential theft: Gophish abuse with hidden tracking image	Sublime Security	5mo ago Nov 5th, 2025	Spam Evasion Image as content Content analysis HTML analysis
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Exploit HTML smuggling Scripting Content analysis HTML analysis Sender analysis
Fake Zoho Sign template abuse	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Social engineering Content analysis HTML analysis URL analysis
Google presentation open redirect phishing	Sublime Security	4mo ago Dec 11th, 2025	Credential Phishing Evasion Open redirect Social engineering URL analysis HTML analysis
Google share notification with suspicious comments	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: VIP Free file host HTML analysis Header analysis Sender analysis Content analysis
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation	Sublime Security	6mo ago Oct 17th, 2025	BEC/Fraud Credential Phishing Evasion Social engineering Scripting Content analysis HTML analysis
HTML smuggling with atob in message body	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Content analysis HTML analysis
Image as content with a link to an open redirect (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content Open redirect Social engineering Content analysis HTML analysis URL analysis
Impersonation: Chrome Web Store policy	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Free email provider Lookalike domain Content analysis Header analysis HTML analysis Sender analysis URL analysis
Inline image as message with attachment or link	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Evasion Image as content Content analysis HTML analysis URL analysis
Link: Abused Adobe Express	Sublime Security	9mo ago Jul 23rd, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis
Link: Apple App Store link to apps impersonating AI adveristing	Sublime Security	1mo ago Mar 5th, 2026	Credential Phishing Impersonation: Brand Content analysis URL analysis HTML analysis
Link: chatbot.page platform abuse	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Social engineering Out of band pivot URL analysis Natural Language Understanding Content analysis HTML analysis Javascript analysis URL screenshot
Link: Common hidden directory observed	Sublime Security	2mo ago Feb 3rd, 2026	Credential Phishing Evasion URL analysis HTML analysis
Link: Credential theft with invisible Unicode character in page title from unsolicited sender	Sublime Security	2mo ago Feb 13th, 2026	Credential Phishing Evasion Social engineering Natural Language Understanding Content analysis HTML analysis URL analysis URL screenshot
Link: File sharing pretext with suspicious body and link	Sublime Security	6mo ago Oct 10th, 2025	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis URL analysis HTML analysis
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis
Link: Multistage landing - Abused Docusign	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis
Link: Multistage landing - Abused Google Drive	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis
Link: Multistage landing - JotForm abuse	Sublime Security	4mo ago Dec 1st, 2025	Credential Phishing Evasion Social engineering Content analysis HTML analysis Javascript analysis URL analysis
Link: Multistage landing - Microsoft Forms abuse	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering HTML analysis URL analysis Content analysis
Link: Multistage landing - Scribd document	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot
Link: PDF display text with fake copyright claim template	Sublime Security	1mo ago Mar 18th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF Content analysis HTML analysis
Link: Suspicious Sharepoint folder share	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Free file host Evasion HTML analysis Header analysis Sender analysis URL analysis
Link: Tycoon2FA phishing kit (non-exhaustive)	Sublime Security	3mo ago Jan 23rd, 2026	Credential Phishing Free subdomain host Evasion Credential Phishing URL analysis HTML analysis Content analysis
Link: Uncommon SharePoint document type with sender's display name	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Social engineering OneNote PDF Content analysis Header analysis HTML analysis URL analysis
Link: URL scheme obfuscation via split HTML anchors	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing BEC/Fraud Evasion HTML injection Social engineering Content analysis HTML analysis URL analysis
Low reputation link to auto-downloaded HTML file with smuggling indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Free file host Free subdomain host HTML smuggling Impersonation: Brand Open redirect Social engineering Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Open redirect: Shibboleth SSO Logout Return Parameter	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Open redirect Evasion HTML analysis URL analysis Sender analysis
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag	Sublime Security	4mo ago Dec 10th, 2025	Credential Phishing Evasion Exploit Content analysis HTML analysis URL analysis
Potential prompt injection attack in body HTML	Sublime Security	3mo ago Jan 12th, 2026	Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam BEC/Fraud Evasion Social engineering Header analysis HTML analysis Content analysis
Request for Quote or Purchase (RFQ\|RFP) with HTML smuggling attachment	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Content analysis File analysis HTML analysis Javascript analysis Natural Language Understanding URL analysis
Service abuse: Adobe Creative Cloud share from an unsolicited sender address	Sublime Security	6mo ago Oct 22nd, 2025	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis
Service abuse: Apple TestFlight with suspicious developer reference	Sublime Security	2mo ago Feb 6th, 2026	Spam Social engineering Content analysis HTML analysis Natural Language Understanding Sender analysis URL analysis
Service abuse: Google Firebase sender address with suspicious content	Sublime Security	22d ago Apr 2nd, 2026	Spam Credential Phishing Free subdomain host Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis URL analysis Whois
Service abuse: HelloSign from an unsolicited sender address	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail	Sublime Security	1mo ago Mar 4th, 2026	BEC/Fraud Evasion Sender analysis HTML analysis Content analysis
Service abuse: Meetup.com redirect with brand impersonation	Sublime Security	9d ago Apr 15th, 2026	Credential Phishing Open redirect Impersonation: Brand Evasion URL analysis HTML analysis Content analysis Sender analysis

109 Rules

Page 2 of 3