Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure	Sublime Security	18d ago Apr 6th, 2026	Credential Phishing Impersonation: Brand Evasion Social engineering URL analysis
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	3mo ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis
Attachment: Calendar invite with Google redirect and invoice request	Sublime Security	16d ago Apr 8th, 2026	Credential Phishing BEC/Fraud Open redirect Social engineering File analysis Natural Language Understanding URL analysis
Attachment: Calendar invite with suspicious link leading to an open redirect	Sublime Security	9mo ago Jul 16th, 2025	Spam Free email provider Free file host Free subdomain host Open redirect Content analysis URL analysis
Attachment: Callback phishing solicitation via image file	@vector_sec	3mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois
Attachment: EML file with IPFS links	Sublime Security	5mo ago Nov 4th, 2025	Credential Phishing Evasion Free file host Free subdomain host IPFS File analysis URL analysis
Attachment: EML with link to credential phishing page	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot
Attachment: EML with QR code redirecting to Cloudflare challenges	Sublime Security	23d ago Apr 1st, 2026	Credential Phishing Malware/Ransomware Evasion QR code File analysis QR code analysis URL analysis Archive analysis
Attachment: EML with SharePoint files shared from GoDaddy federated tenants	Sublime Security	7mo ago Sep 23rd, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering File analysis URL analysis Content analysis
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	7mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis
Attachment: Fake Slack installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fake voicemail via PDF	Sublime Security	10d ago Apr 14th, 2026	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis
Attachment: Fake Zoom installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis
Attachment: HTML smuggling Microsoft sign in	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling - QR Code with suspicious links	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing QR code Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot
Attachment: HTML smuggling with atob and high entropy	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with auto-downloaded file	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis
Attachment: ICS calendar file with QR code containing recipient email address	Sublime Security	4d ago Apr 20th, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Content analysis
Attachment: ICS file with AWS Lambda URL	Sublime Security	23d ago Apr 1st, 2026	Credential Phishing Malware/Ransomware Evasion Free file host Content analysis File analysis URL analysis
Attachment: ICS file with links to newly registered domains	Sublime Security	4d ago Apr 20th, 2026	Credential Phishing Social engineering File analysis URL analysis Whois
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	21d ago Apr 3rd, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: Link to Doubleclick.net open redirect	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Evasion Open redirect Social engineering Content analysis File analysis URL analysis
Attachment: Office document loads remote document template	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Archive analysis File analysis URL analysis
Attachment: Office document with VSTO add-in	@vector_sec	3mo ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis
Attachment: Office file contains OLE relationship to credential phishing page	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis HTML analysis Natural Language Understanding OLE analysis URL analysis
Attachment: Office file with credential phishing URLs	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis Archive analysis Content analysis
Attachment: PDF bid/proposal lure with credential theft indicators	Sublime Security	28d ago Mar 27th, 2026	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis
Attachment: PDF proposal with credential theft indicators	Sublime Security	1mo ago Mar 17th, 2026	Credential Phishing PDF Social engineering Evasion File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with a suspicious string and single URL	Sublime Security	14d ago Apr 10th, 2026	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Attachment: PDF with link to DMG file download	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with link to zip containing a wsf file	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with multistage landing - ClickUp abuse	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
Attachment: PDF with recipient email in link	Sublime Security	1mo ago Mar 3rd, 2026	Credential Phishing PDF QR code Encryption Social engineering File analysis QR code analysis URL analysis
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	1mo ago Mar 6th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: QR code with credential phishing indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing QR code Social engineering Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot
Attachment: QR code with encoded recipient targeting and redirect indicators	Sublime Security	2mo ago Jan 30th, 2026	Credential Phishing QR code Evasion Image as content Open redirect Archive analysis File analysis QR code analysis URL analysis
Attachment: QR code with recipient targeting and special characters	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Computer Vision
Attachment: QR code with suspicious URL patterns in EML file	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Evasion Social engineering Archive analysis File analysis QR code analysis URL analysis
Attachment: RTF file with suspicious link	Sublime Security	9mo ago Jul 23rd, 2025	Credential Phishing Evasion Archive analysis File analysis Sender analysis URL analysis
Attachment: Small text file with link containing recipient email address	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis
Brand impersonation: AliExpress	Sublime Security	8mo ago Aug 5th, 2025	Callback Phishing Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis URL analysis
Brand impersonation: Chase bank with credential phishing indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Natural Language Understanding Sender analysis URL analysis
Brand impersonation: Coinbase with suspicious links	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis
Brand impersonation: DocuSign	Sublime Security	7d ago Apr 17th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis

442 Rules

Page 1 of 9