Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Hardbacon infrastructure abuse	Sublime Security	2y ago Dec 20th, 2024	Credential Phishing Evasion Impersonation: Brand Social engineering Header analysis Sender analysis
Headers: Fake in-reply-to with wildcard sender and missing thread context	Sublime Security	3mo ago Jan 23rd, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis Content analysis
Headers: Invalid recipient domain with mismatched reply-to from new sender	Sublime Security	5mo ago Nov 21st, 2025	BEC/Fraud Credential Phishing Spam Evasion Social engineering Header analysis Sender analysis
Headers: iOS/iPadOS mailer with invalid build number	Sublime Security	3y ago Aug 17th, 2023	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Header analysis
Headers: Outlook Express mailer	Sublime Security	5mo ago Nov 6th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Spoofing Header analysis
Headers: risky-recover-production message ID	Sublime Security	1mo ago Feb 26th, 2026	Spam Evasion Header analysis
Headers: Self-sender using Microsoft CompAuth bypass with credential theft content	Sublime Security	4d ago Apr 21st, 2026	Credential Phishing Spoofing Evasion Natural Language Understanding Header analysis Sender analysis
Headers: System account impersonation with empty sender address	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Spoofing Header analysis Sender analysis Natural Language Understanding
Headers: Zimbra mailer from a non-supported OS version	Sublime Security	3y ago Aug 17th, 2023	Header analysis
Honorific greeting BEC attempt with sender and reply-to mismatch	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
HR impersonation via e-sign agreement comment	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Impersonation: Chrome Web Store policy	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Free email provider Lookalike domain Content analysis Header analysis HTML analysis Sender analysis URL analysis
Impersonation: Executive using numbered local part	Sublime Security	2mo ago Jan 30th, 2026	BEC/Fraud Free email provider Impersonation: VIP Social engineering Header analysis Sender analysis
Impersonation: Human Resources with link or attachment and engaging language	Sublime Security	9mo ago Jul 16th, 2025	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Impersonation: Internal corporate services	Sublime Security	2mo ago Jan 28th, 2026	Credential Phishing Impersonation: Employee Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Impersonation: Legal firm with copyright infringement notice	Sublime Security	1mo ago Mar 10th, 2026	BEC/Fraud Extortion Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis
Impersonation: SharePoint reply header anomaly	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Social engineering Impersonation: Brand Evasion Spoofing Header analysis Content analysis Sender analysis
Impersonation: Suspected supplier impersonation with suspicious content	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Evasion Free email provider Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois
Impersonation using recipient domain (untrusted sender)	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Social engineering Header analysis Sender analysis
Inbound message from popular service via newly observed distribution list	Sublime Security	8mo ago Aug 5th, 2025	Callback Phishing Evasion Social engineering Header analysis Sender analysis
Invoicera infrastructure abuse	Sublime Security	2y ago Mar 7th, 2024	Credential Phishing Spam Free file host Free subdomain host Image as content Social engineering Content analysis Header analysis Sender analysis
Job scam (unsolicited sender)	Sublime Security	5mo ago Nov 3rd, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Job scam with specific salary pattern	Sublime Security	3mo ago Jan 21st, 2026	BEC/Fraud Social engineering Content analysis Natural Language Understanding Header analysis Sender analysis
Link abuse: Self-service creation platform link with suspicious recipient behavior	Sublime Security	4mo ago Dec 2nd, 2025	BEC/Fraud Credential Phishing Spam Free email provider Social engineering Header analysis Sender analysis URL analysis
Link: Base64 encoded recipient address in URL fragment with subject hash	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Encryption Evasion Social engineering Content analysis URL analysis Header analysis
Link: Credential phishing link with undisclosed recipients	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion Computer Vision Header analysis URL screenshot
Link: Credential phishing traversing Russian infrastructure	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Social engineering Content analysis Header analysis Natural Language Understanding URL analysis
Link: Credential phishing via WordPress	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Social engineering Free subdomain host URL analysis Header analysis Computer Vision
Link: Cryptocurrency fraud with suspicious links	Sublime Security	4mo ago Dec 1st, 2025	BEC/Fraud Social engineering Evasion Free subdomain host Scripting Content analysis Header analysis Javascript analysis Natural Language Understanding Sender analysis URL analysis URL screenshot Whois
Link: Direct link to riddle.com hosted showcase	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free file host Sender analysis URL analysis Header analysis
Link: Direct link to Zoom Docs from non-Zoom sender	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Social engineering Impersonation: Brand Header analysis URL analysis Sender analysis
Link: Display text matches subject line	Sublime Security	5mo ago Nov 14th, 2025	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis
Link: Executable file download with suspicious message content	Sublime Security	6mo ago Oct 16th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Header analysis
Link: File sharing impersonation with suspicious language and sending patterns	Sublime Security	5mo ago Oct 31st, 2025	BEC/Fraud Credential Phishing Social engineering Free subdomain host Impersonation: Brand Natural Language Understanding URL analysis Sender analysis Header analysis Content analysis
Link: Free file hosting with undisclosed recipients	Sublime Security	1mo ago Mar 19th, 2026	Credential Phishing Malware/Ransomware Free file host Free subdomain host Evasion Header analysis URL analysis Sender analysis Natural Language Understanding
Link: Free subdomain host with undisclosed recipients	Sublime Security	3mo ago Jan 12th, 2026	Free subdomain host Header analysis URL analysis
Link: Intuit link abuse with file share context	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering URL analysis Natural Language Understanding Content analysis Header analysis
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis
Link: Multistage landing - Abused Adobe Acrobat hosted PDF	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Optical Character Recognition URL analysis Header analysis Sender analysis
Link: Multistage landing - Ludus presentation	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion Social engineering Impersonation: Brand Header analysis URL analysis Computer Vision URL screenshot Natural Language Understanding Optical Character Recognition Sender analysis
Link: .onion From Unsolicited Sender	Sublime Security	8mo ago Jul 30th, 2025	Malware/Ransomware Credential Phishing Evasion Social engineering URL analysis Header analysis Sender analysis
Link: PDF filename impersonation with credential theft language	Sublime Security	2mo ago Feb 12th, 2026	Credential Phishing Social engineering Evasion PDF Content analysis Natural Language Understanding Header analysis Sender analysis URL analysis
Link: Personalized URL with recipient address on commonly abused web service	Sublime Security	24d ago Apr 1st, 2026	Credential Phishing Malware/Ransomware Free file host Social engineering URL analysis Header analysis
Link: Personal SharePoint with invalid recipients and credential theft language	Sublime Security	3mo ago Jan 23rd, 2026	Credential Phishing Social engineering Content analysis Header analysis Natural Language Understanding URL analysis
Link: Recipient domain in URL path	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Lookalike domain Header analysis Sender analysis URL analysis
Link: Referrer anonymization service from untrusted sender	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Open redirect Evasion Header analysis URL analysis Sender analysis
Link: Romance/Sexual Language With Suspicious Link	Sublime Security	8mo ago Aug 22nd, 2025	Spam Social engineering Content analysis Header analysis URL analysis Whois
Link: Self-sender with sender org in subject and credential theft indicator	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis Sender analysis URL analysis Header analysis
Link: Self-sent message with quarterly document review request	Sublime Security	3mo ago Jan 21st, 2026	BEC/Fraud Credential Phishing Social engineering Evasion Content analysis Header analysis Sender analysis URL analysis
Link: SharePoint OneNote or PDF link with self sender behavior	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host OneNote PDF Header analysis URL analysis Sender analysis

371 Rules

Page 5 of 8