Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Brand impersonation: File sharing notification with template artifacts	Sublime Security	1mo ago Jan 23rd, 2026	Credential Phishing Impersonation: Brand Social engineering Evasion HTML analysis Computer Vision Content analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification	Sublime Security	2mo ago Dec 10th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-logo-in-html-with-fake-quarantine-release-notification-f12c615c
Brand impersonation: Microsoft Teams invitation	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Brand impersonation: Paperless Post	Sublime Security	4mo ago Nov 6th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Content analysis Header analysis HTML analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-paperless-post-e9ec5e09
Brand impersonation: Zoom	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Brand impersonation: Zoom via HTML styling	Sublime Security	11d ago Feb 27th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis	/feeds/core/detection-rules/brand-impersonation-zoom-via-html-styling-b717920d
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Canva design with suspicious embedded link	Sublime Security	5mo ago Sep 29th, 2025	Credential Phishing Evasion Social engineering Free file host HTML analysis URL analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22
Credential phishing: Blue button styled link with file-sharing template artifacts	Sublime Security	15h ago Mar 9th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/credential-phishing-blue-button-styled-link-with-file-sharing-template-artifacts-370f6c07
Credential phishing: Suspicious e-sign agreement document notification	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Content analysis Header analysis HTML analysis URL analysis Sender analysis	/feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8
Credential theft: Gophish abuse with hidden tracking image	Sublime Security	4mo ago Nov 5th, 2025	Spam Evasion Image as content Content analysis HTML analysis	/feeds/core/detection-rules/credential-theft-gophish-abuse-with-hidden-tracking-image-59915ceb
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Exploit HTML smuggling Scripting Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b
Fake Zoho Sign template abuse	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/fake-zoho-sign-template-abuse-785fd0d5
Google presentation open redirect phishing	Sublime Security	2mo ago Dec 11th, 2025	Credential Phishing Evasion Open redirect Social engineering URL analysis HTML analysis	/feeds/core/detection-rules/google-presentation-open-redirect-phishing-5d01ee3a
Google share notification with suspicious comments	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: VIP Free file host HTML analysis Header analysis Sender analysis Content analysis	/feeds/core/detection-rules/google-share-notification-with-suspicious-comments-c69c9924
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation	Sublime Security	4mo ago Oct 17th, 2025	BEC/Fraud Credential Phishing Evasion Social engineering Scripting Content analysis HTML analysis	/feeds/core/detection-rules/html-bidirectional-bidi-html-override-with-right-to-left-obfuscation-f93940d2
HTML smuggling with atob in message body	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Content analysis HTML analysis	/feeds/core/detection-rules/html-smuggling-with-atob-in-message-body-0f86851f
Image as content with a link to an open redirect (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content Open redirect Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b
Impersonation: Chrome Web Store policy	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Free email provider Lookalike domain Content analysis Header analysis HTML analysis Sender analysis URL analysis	/feeds/core/detection-rules/impersonation-chrome-web-store-policy-4a98f283
Inline image as message with attachment or link	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Evasion Image as content Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/inline-image-as-message-with-attachment-or-link-823d7107
Link: Abused Adobe Express	Sublime Security	7mo ago Jul 23rd, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
Link: Apple App Store link to apps impersonating AI adveristing	Sublime Security	5d ago Mar 5th, 2026	Credential Phishing Impersonation: Brand Content analysis URL analysis HTML analysis	/feeds/core/detection-rules/link-apple-app-store-link-to-apps-impersonating-ai-adveristing-19b556e6
Link: chatbot.page platform abuse	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering Out of band pivot URL analysis Natural Language Understanding Content analysis HTML analysis Javascript analysis URL screenshot	/feeds/core/detection-rules/link-chatbotpage-platform-abuse-bfd6a076
Link: Common hidden directory observed	Sublime Security	1mo ago Feb 3rd, 2026	Credential Phishing Evasion URL analysis HTML analysis	/feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6
Link: Credential theft with invisible Unicode character in page title from unsolicited sender	Sublime Security	25d ago Feb 13th, 2026	Credential Phishing Evasion Social engineering Natural Language Understanding Content analysis HTML analysis URL analysis URL screenshot	/feeds/core/detection-rules/link-credential-theft-with-invisible-unicode-character-in-page-title-from-unsolicited-sender-5fe14d53
Link: File sharing pretext with suspicious body and link	Sublime Security	5mo ago Oct 10th, 2025	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis URL analysis HTML analysis	/feeds/core/detection-rules/link-file-sharing-pretext-with-suspicious-body-and-link-c5718a8e
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Link: Multistage landing - Abused Docusign	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Link: Multistage landing - Abused Google Drive	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Link: Multistage landing - JotForm abuse	Sublime Security	3mo ago Dec 1st, 2025	Credential Phishing Evasion Social engineering Content analysis HTML analysis Javascript analysis URL analysis	/feeds/core/detection-rules/link-multistage-landing-jotform-abuse-5b64326f
Link: Multistage landing - Microsoft Forms abuse	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering HTML analysis URL analysis Content analysis	/feeds/core/detection-rules/link-multistage-landing-microsoft-forms-abuse-85a2cd12
Link: Multistage landing - Scribd document	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d
Link: Suspicious Sharepoint folder share	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Free file host Evasion HTML analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-suspicious-sharepoint-folder-share-6168a08c
Link: Tycoon2FA phishing kit (non-exhaustive)	Sublime Security	1mo ago Jan 23rd, 2026	Credential Phishing Free subdomain host Evasion Credential Phishing URL analysis HTML analysis Content analysis	/feeds/core/detection-rules/link-tycoon2fa-phishing-kit-non-exhaustive-a070d4e2
Link: Uncommon SharePoint document type with sender's display name	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering OneNote PDF Content analysis Header analysis HTML analysis URL analysis	/feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2
Link: URL scheme obfuscation via split HTML anchors	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing BEC/Fraud Evasion HTML injection Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/link-url-scheme-obfuscation-via-split-html-anchors-10375948
Low reputation link to auto-downloaded HTML file with smuggling indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Free file host Free subdomain host HTML smuggling Impersonation: Brand Open redirect Social engineering Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/low-reputation-link-to-auto-downloaded-html-file-with-smuggling-indicators-339676c6
Open redirect: Shibboleth SSO Logout Return Parameter	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Open redirect Evasion HTML analysis URL analysis Sender analysis	/feeds/core/detection-rules/open-redirect-shibboleth-sso-logout-return-parameter-374b7517
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag	Sublime Security	2mo ago Dec 10th, 2025	Credential Phishing Evasion Exploit Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/outlook-hyperlink-bypass-left-to-right-mark-lrm-in-base-html-tag-160cc681
Potential prompt injection attack in body HTML	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam BEC/Fraud Evasion Social engineering Header analysis HTML analysis Content analysis	/feeds/core/detection-rules/potential-prompt-injection-attack-in-body-html-5fb24736
Request for Quote or Purchase (RFQ\|RFP) with HTML smuggling attachment	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Content analysis File analysis HTML analysis Javascript analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-html-smuggling-attachment-a47a5755
Service abuse: Adobe Creative Cloud share from an unsolicited sender address	Sublime Security	4mo ago Oct 22nd, 2025	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-adobe-creative-cloud-share-from-an-unsolicited-sender-address-47e42ca1
Service abuse: Apple TestFlight with suspicious developer reference	Sublime Security	1mo ago Feb 6th, 2026	Spam Social engineering Content analysis HTML analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/service-abuse-apple-testflight-with-suspicious-developer-reference-e7ea0ee0
Service abuse: HelloSign from an unsolicited sender address	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-hellosign-from-an-unsolicited-sender-address-68ca0753
Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail	Sublime Security	6d ago Mar 4th, 2026	BEC/Fraud Evasion Sender analysis HTML analysis Content analysis	/feeds/core/detection-rules/service-abuse-hungerrush-domain-with-sendgrid-tracking-targeting-protonmail-73f62e74
Service abuse: Random Google Firebase sender address with suspicious content	Sublime Security	1mo ago Jan 12th, 2026	Spam Credential Phishing Free subdomain host Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9
Service abuse: Suspicious Zoom Docs link	Sublime Security	3mo ago Dec 2nd, 2025	Credential Phishing Social engineering Free file host Evasion HTML analysis Sender analysis Header analysis	/feeds/core/detection-rules/service-abuse-suspicious-zoom-docs-link-064b2594
Service abuse: Trello board invitation with VIP impersonation	Sublime Security	1mo ago Feb 3rd, 2026	Credential Phishing Impersonation: VIP Social engineering Content analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/service-abuse-trello-board-invitation-with-vip-impersonation-fedfc94b
Sharepoint link likely unrelated to sender	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis	/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Spam: Commonly observed formatting of unauthorized free giveaways	Sublime Security	1mo ago Jan 14th, 2026	Spam Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis URL analysis	/feeds/core/detection-rules/spam-commonly-observed-formatting-of-unauthorized-free-giveaways-8bc49fa3

104 Rules

Page 2 of 3