Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD	Sublime Security	2mo ago Nov 3rd, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373
AnonymousFox indicators	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Header analysis Sender analysis	/feeds/core/detection-rules/anonymousfox-indicators-2506206e
Attachment: Any .sap file (unsolicited)	Sublime Security	2mo ago Oct 27th, 2025	Malware/Ransomware Evasion Scripting File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-any-sap-file-unsolicited-220ed3de
Attachment: Callback phishing solicitation via text-based file	Sublime Security	4mo ago Sep 22nd, 2025	Callback Phishing Evasion Out of band pivot Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-ca39c83a
Attachment: Compensation review lure with QR code	Sublime Security	1mo ago Dec 10th, 2025	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis	/feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois	/feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282
Attachment: Dropbox image lure with no Dropbox domains in links	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	5mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191
Attachment: EML with link to credential phishing page	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	4mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b
Attachment: Fake secure message and suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94
Attachment: HTML smuggling Microsoft sign in	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385
Attachment: HTML smuggling - QR Code with suspicious links	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing QR code Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d
Attachment: ICS calendar with embedded file from internal sender with SPF failure	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Spoofing Evasion File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-ics-calendar-with-embedded-file-from-internal-sender-with-spf-failure-d9ce9db8
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis	/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Attachment: Microsoft 365 credential phishing	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: QR code with credential phishing indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing QR code Social engineering Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7
Attachment: USDA bid invitation impersonation	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment with auto-executing macro (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis Header analysis File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
BEC/Fraud: Generic scam attempt to undisclosed recipients	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-recipients-5dac401f
BEC/Fraud: Penpal scam	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Free email provider Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/becfraud-penpal-scam-a4bdfa17
BEC/Fraud: Romance scam	Sublime Security	1d ago Jan 22nd, 2026	BEC/Fraud Free email provider Social engineering Content analysis Header analysis	/feeds/core/detection-rules/becfraud-romance-scam-0243cdaa
BEC/Fraud: Scam lure with freemail pivot	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Free email provider Out of band pivot Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/becfraud-scam-lure-with-freemail-pivot-898c769f
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0
BEC with unusual reply-to or return-path mismatch	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df
Benefits enrollment impersonation	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Impersonation: Employee Out of band pivot Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Body HTML: Recipient SLD in HTML class	Sublime Security	4mo ago Sep 23rd, 2025	Credential Phishing Evasion Social engineering HTML analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-html-recipient-sld-in-html-class-d395e41d
Brand impersonation: AARP	Sublime Security	1mo ago Dec 1st, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-aarp-561a7f87
Brand impersonation: Adobe (QR code)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d
Brand impersonation: Adobe Sign with suspicious indicators	Sublime Security	15d ago Jan 8th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a
Brand impersonation: Adobe with suspicious language and link	Sublime Security	2mo ago Nov 24th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-with-suspicious-language-and-link-32cc8bf1
Brand impersonation: ADP	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adp-bb9cf46b
Brand impersonation: AliExpress	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8
Brand impersonation: Amazon	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Impersonation: Brand Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-amazon-13fc967d
Brand impersonation: Amazon Web Services (AWS)	Sublime Security	3mo ago Oct 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Optical Character Recognition Sender analysis Natural Language Understanding	/feeds/core/detection-rules/brand-impersonation-amazon-web-services-aws-31de94e0
Brand impersonation: Amazon with suspicious attachment	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9
Brand impersonation: American Express (AMEX)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-american-express-amex-992a9fa9
Brand impersonation: Apple	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Impersonation: Brand Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-apple-0b17f2c2
Brand impersonation: Aquent	Sublime Security	3mo ago Oct 9th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-aquent-5074459c
Brand impersonation: Aramco	Sublime Security	2mo ago Nov 20th, 2025	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-aramco-96e87699
Brand impersonation: AuthentiSign	Sublime Security	2d ago Jan 21st, 2026	Credential Phishing BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-authentisign-445a8c8b
Brand impersonation: Bank of America	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-bank-of-america-d2fc6ea1
Brand impersonation: Barracuda Networks	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-barracuda-networks-583fd5eb
Brand impersonation: Binance	Sublime Security	4mo ago Sep 3rd, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-binance-c3302a76
Brand impersonation: Blockchain[.]com	Sublime Security	2d ago Jan 21st, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-blockchaincom-0d85e555
Brand impersonation: Booking.com	Sublime Security	2mo ago Nov 3rd, 2025	Credential Phishing Impersonation: Brand Social engineering Natural Language Understanding Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-bookingcom-d1d8882f

336 Rules

Page 1 of 7