Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD	Sublime Security	2mo ago Nov 3rd, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373
AnonymousFox indicators	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Header analysis Sender analysis	/feeds/core/detection-rules/anonymousfox-indicators-2506206e
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	18d ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Attachment: Any HTML file (unsolicited)	Sublime Security	2mo ago Nov 3rd, 2025	HTML smuggling File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-any-html-file-unsolicited-ef36763f
Attachment: Any HTML file (untrusted sender)	Sublime Security	2mo ago Nov 3rd, 2025	HTML smuggling HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-any-html-file-untrusted-sender-57a8f5c5
Attachment: Any .sap file (unsolicited)	Sublime Security	2mo ago Oct 27th, 2025	Malware/Ransomware Evasion Scripting File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-any-sap-file-unsolicited-220ed3de
Attachment: Callback phishing solicitation via image file	@vector_sec	11d ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36
Attachment: Callback phishing solicitation via pdf file	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Callback phishing solicitation via text-based file	Sublime Security	4mo ago Sep 22nd, 2025	Callback Phishing Evasion Out of band pivot Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-ca39c83a
Attachment: Compensation review lure with QR code	Sublime Security	1mo ago Dec 10th, 2025	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis	/feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c
Attachment: Decoy PDF author (Julie P.)	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand PDF File analysis Content analysis Sender analysis	/feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois	/feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282
Attachment: Double base64-encoded zip file in HTML smuggling attachment	@ajpc500	5mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b
Attachment: Dropbox image lure with no Dropbox domains in links	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d
Attachment: Embedded Javascript in SVG file	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis File analysis Sender analysis XML analysis	/feeds/core/detection-rules/attachment-embedded-javascript-in-svg-file-f70293bc
Attachment: Embedded VBScript in MHT file (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-embedded-vbscript-in-mht-file-unsolicited-b30353a6
Attachment: EML containing a base64 encoded script	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	5mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191
Attachment: EML with embedded Javascript in SVG file	Sublime Security	5mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-embedded-javascript-in-svg-file-dfafb78f
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	4mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b
Attachment: Emotet heavily padded doc in zip file	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis Exif analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-emotet-heavily-padded-doc-in-zip-file-9a5332ed
Attachment: Encrypted Microsoft Office file (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Encryption Macros Scripting Archive analysis File analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment: Encrypted PDF with credential theft body	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Fake scan-to-email	Sublime Security	4mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Attachment: Fake secure message and suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94
Attachment: File execution via Javascript	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-file-execution-via-javascript-627ae0b1
Attachment: HTML attachment with login portal indicators	@ajpc500	11d ago Jan 12th, 2026	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-attachment-with-login-portal-indicators-3aabf4a7
Attachment: HTML smuggling Microsoft sign in	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385
Attachment: HTML smuggling - QR Code with suspicious links	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing QR code Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d
Attachment: HTML smuggling with atob and high entropy	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11
Attachment: HTML smuggling with atob and high entropy via calendar invite	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: HTML smuggling with auto-downloaded file	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-auto-downloaded-file-abf724f5
Attachment: HTML smuggling with embedded base64-encoded ISO	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling ISO Archive analysis Content analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-iso-294ecd2d
Attachment: HTML with emoji-to-character map	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion HTML smuggling Impersonation: Brand Scripting Social engineering File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086
Attachment: ICS calendar with embedded file from internal sender with SPF failure	Sublime Security	3mo ago Oct 22nd, 2025	Credential Phishing Spoofing Evasion File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-ics-calendar-with-embedded-file-from-internal-sender-with-spf-failure-d9ce9db8
Attachment: Microsoft 365 credential phishing	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: Office document with VSTO add-in	@vector_sec	11d ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: OLE external relationship containing file scheme link to executable filetype	Sublime Security	2mo ago Nov 24th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4
Attachment: OLE external relationship containing file scheme link to IP address	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	11d ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e
Attachment: QR code link with base64-encoded recipient address	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: QR code with credential phishing indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing QR code Social engineering Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1
Attachment: QR code with userinfo portion	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7

594 Rules

Page 1 of 12