Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 27th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Calendar invite from recently registered domain	Sublime Security	6mo ago Sep 25th, 2025	Callback Phishing Evasion Social engineering File analysis Whois
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	1mo ago Feb 5th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: PDF with multistage landing - ClickUp abuse	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois
Brand impersonation: Microsoft fake sign-in alert	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis Whois
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	4mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois
Brand impersonation: Silicon Valley Bank	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Sender analysis Whois
Brand impersonation: Stripe notification	Sublime Security	6mo ago Sep 26th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Whois
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old	Sublime Security	5mo ago Oct 17th, 2025	Callback Phishing Impersonation: Brand Out of band pivot Social engineering Header analysis Natural Language Understanding Optical Character Recognition Whois
Fraudulent order confirmation/shipping notification from Chinese sender domain	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Natural Language Understanding Sender analysis Whois
Generic service abuse from newly registered domain	Sublime Security	7mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Evasion Social engineering Header analysis Sender analysis Whois
Impersonation: Suspected supplier impersonation with suspicious content	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Evasion Free email provider Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois
Link: Abused Adobe Express	Sublime Security	8mo ago Jul 23rd, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis
Link: Commonly Abused Web Service redirecting to ZIP file	Sublime Security	20d ago Mar 10th, 2026	Malware/Ransomware Free file host Free subdomain host Open redirect Evasion URL analysis Whois Archive analysis
Link: Cryptocurrency fraud with suspicious links	Sublime Security	3mo ago Dec 1st, 2025	BEC/Fraud Social engineering Evasion Free subdomain host Scripting Content analysis Header analysis Javascript analysis Natural Language Understanding Sender analysis URL analysis URL screenshot Whois
Link: Financial account issue with suspicious indicators	Sublime Security	6d ago Mar 24th, 2026	Credential Phishing Free file host Free subdomain host Social engineering Content analysis Natural Language Understanding URL analysis Whois
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)	@ajpc500	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion URL analysis Whois
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis
Link: Multistage landing - Abused Docusign	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis
Link: Multistage landing - Abused Google Drive	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis
Link: Multistage landing - ClickUp abuse	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Malware/Ransomware Evasion Free file host Free subdomain host Open redirect URL analysis Whois Content analysis
Link: Multistage landing - Published Google Doc	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Free file host Social engineering Natural Language Understanding URL analysis Whois
Link: Romance/Sexual Language With Suspicious Link	Sublime Security	7mo ago Aug 22nd, 2025	Spam Social engineering Content analysis Header analysis URL analysis Whois
New link domain (<=10d) from untrusted sender	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Malware/Ransomware Sender analysis URL analysis Whois
Newly registered sender or reply-to domain with newly registered linked domain	Sublime Security	7mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Social engineering Header analysis URL analysis Whois
New sender domain (<=10d) from untrusted sender	Sublime Security	2y ago Nov 20th, 2024	Sender analysis Whois
Recruitee Infrastructure Abuse	Sublime Security	8mo ago Jul 16th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Whois
Service abuse: AppSheet infrastructure with suspicious indicators	Sublime Security	5mo ago Oct 6th, 2025	Credential Phishing Evasion Social engineering Content analysis Natural Language Understanding URL analysis Whois
Service abuse: Google Drive share from new reply-to domain	Sublime Security	4mo ago Nov 13th, 2025	BEC/Fraud Callback Phishing Credential Phishing Free email provider Social engineering Free file host Header analysis Sender analysis Whois
Service abuse: Google Firebase sender address with suspicious content	Sublime Security	18d ago Mar 12th, 2026	Spam Credential Phishing Free subdomain host Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis URL analysis Whois
Spam: Fake photo share	Sublime Security	4mo ago Nov 8th, 2025	Spam Evasion Social engineering Content analysis Sender analysis URL analysis Whois
Spam/fraud: Predatory journal/research paper request	Sublime Security	4mo ago Nov 3rd, 2025	BEC/Fraud Spam Social engineering Impersonation: Brand Lookalike domain Evasion Natural Language Understanding Content analysis Sender analysis URL analysis Whois
Spam: New link domain (<=10d) and emojis	Sublime Security	8mo ago Jul 16th, 2025	Spam Free email provider Content analysis Sender analysis URL analysis Whois
Suspected lookalike domain with suspicious language	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Evasion Lookalike domain Social engineering Content analysis Natural Language Understanding Sender analysis Whois
Suspicious newly registered reply-to domain with engaging financial or urgent language	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois
Vendor compromise: GovDelivery message with suspicious link	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Free subdomain host IPFS Social engineering Evasion Impersonation: Brand Natural Language Understanding URL analysis Whois
Vendor impersonation: Thread hijacking with typosquat domain	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Lookalike domain Social engineering Spoofing Content analysis Natural Language Understanding Sender analysis Whois
VIP impersonation: Fake thread with display name match, email mismatch	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Evasion Impersonation: VIP Social engineering Spoofing Content analysis Header analysis Sender analysis Whois

39 Rules