Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	18d ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Attachment: Callback phishing solicitation via image file	@vector_sec	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36
Attachment: Callback phishing solicitation via pdf file	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Compensation review lure with QR code	Sublime Security	1mo ago Dec 10th, 2025	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis	/feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c
Attachment: Dropbox image lure with no Dropbox domains in links	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d
Attachment: EML with link to credential phishing page	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Attachment: Fake attachment image lure	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Attachment: Fake scan-to-email	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Attachment: Fake voicemail via PDF	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis	/feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	4mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis	/feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	2d ago Jan 21st, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis	/feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis	/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Attachment: Microsoft 365 credential phishing	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229
Attachment: Office file with document sharing and browser instruction lures	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Evasion Archive analysis File analysis Macro analysis Optical Character Recognition Content analysis	/feeds/core/detection-rules/attachment-office-file-with-document-sharing-and-browser-instruction-lures-b1250a4b
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3
Attachment: Soda PDF producer with encryption themes	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing PDF Social engineering File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4
Attachment soliciting user to enable macros	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment: Suspicious PDF created with headless browser	Sublime Security	4mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: USDA bid invitation impersonation	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Brand impersonation: Amazon Web Services (AWS)	Sublime Security	3mo ago Oct 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Optical Character Recognition Sender analysis Natural Language Understanding	/feeds/core/detection-rules/brand-impersonation-amazon-web-services-aws-31de94e0
Brand impersonation: Amazon with suspicious attachment	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9
Brand impersonation: DocuSign branded attachment lure with no DocuSign links	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL screenshot	/feeds/core/detection-rules/brand-impersonation-docusign-branded-attachment-lure-with-no-docusign-links-814a5694
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7
Brand impersonation: Fake Fax	Sublime Security	2d ago Jan 21st, 2026	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Brand impersonation: Google fake sign-in warning	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee
Brand impersonation: Internal Revenue Service	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-internal-revenue-service-3c63f8e9
Brand impersonation: Microsoft quarantine release notification in image attachment	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Free file host Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-image-attachment-185db6b3
Brand impersonation: Microsoft Teams	Sublime Security	2y ago Dec 3rd, 2024	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-teams-9cd53055
Brand impersonation: Microsoft with low reputation links	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: SendGrid	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Credential Phishing Spam Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	2mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Brand Impersonation: Shein	Sublime Security	3mo ago Oct 15th, 2025	Credential Phishing Spam Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-shein-b5843f22
Brand impersonation: Square	Sublime Security	3mo ago Oct 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-square-63f9b449
Brand impersonation: TikTok	Sublime Security	2mo ago Oct 30th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7
Brand impersonation: Toronto-Dominion Bank	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-toronto-dominion-bank-2dc16a55
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old	Sublime Security	3mo ago Oct 17th, 2025	Callback Phishing Impersonation: Brand Out of band pivot Social engineering Header analysis Natural Language Understanding Optical Character Recognition Whois	/feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53
Callback phishing in body or attachment (untrusted sender)	Sublime Security	1d ago Jan 22nd, 2026	Callback Phishing Out of band pivot Social engineering Content analysis File analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94
Callback phishing: Social Security Administration fraud	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Callback phishing via e-signature service	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Free email provider Impersonation: Brand Social engineering Content analysis Computer Vision Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-e-signature-service-ed37b4fd
Callback phishing via extensionless rfc822 attachment	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4
Callback phishing via Google Group abuse	Sublime Security	6mo ago Jul 16th, 2025	Callback Phishing Free email provider Impersonation: Brand Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b
Callback phishing via Intuit service abuse	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294
Callback phishing via Zoho service abuse	Sublime Security	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec
Cloud storage impersonation with credential theft indicators	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/cloud-storage-impersonation-with-credential-theft-indicators-4c20f72c
Commonly abused sender TLD with engaging language	Sublime Security	5mo ago Aug 7th, 2025	Credential Phishing Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc
Compensation review with QR code in attached EML	Sublime Security	1mo ago Nov 26th, 2025	Credential Phishing QR code Social engineering Computer Vision Content analysis Optical Character Recognition QR code analysis	/feeds/core/detection-rules/compensation-review-with-qr-code-in-attached-eml-98a2f03c
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/credential-phishing-docusign-embedded-image-lure-with-no-docusign-domains-in-links-dfe8715e

70 Rules

Page 1 of 2