Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Dec 19th, 2025

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Calendar invite from recently registered domain	Sublime Security	2mo ago Sep 25th, 2025	Callback Phishing Evasion Social engineering File analysis Whois	/feeds/core/detection-rules/attachment-calendar-invite-from-recently-registered-domain-d801521c
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois	/feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	20d ago Dec 1st, 2025	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis	/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0
Brand impersonation: Microsoft fake sign-in alert	Sublime Security	1y ago Apr 25th, 2024	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/brand-impersonation-microsoft-fake-sign-in-alert-3f4c9e7a
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	1mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Brand impersonation: Silicon Valley Bank	Sublime Security	1y ago Apr 25th, 2024	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Sender analysis Whois	/feeds/core/detection-rules/brand-impersonation-silicon-valley-bank-a01f61d9
Brand impersonation: Stripe notification	Sublime Security	2mo ago Sep 26th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Whois	/feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03
Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old	Sublime Security	2mo ago Oct 17th, 2025	Callback Phishing Impersonation: Brand Out of band pivot Social engineering Header analysis Natural Language Understanding Optical Character Recognition Whois	/feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53
Fraudulent order confirmation/shipping notification from Chinese sender domain	Sublime Security	18d ago Dec 3rd, 2025	BEC/Fraud Social engineering Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/fraudulent-order-confirmationshipping-notification-from-chinese-sender-domain-4392a14e
Generic service abuse from newly registered domain	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Evasion Social engineering Header analysis Sender analysis Whois	/feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5
Impersonation: Suspected supplier impersonation with suspicious content	Sublime Security	10mo ago Feb 3rd, 2025	BEC/Fraud Evasion Free email provider Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce
Link: Abused Adobe Express	Sublime Security	5mo ago Jul 23rd, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
Link: Cryptocurrency fraud with suspicious links	Sublime Security	20d ago Dec 1st, 2025	BEC/Fraud Social engineering Evasion Free subdomain host Scripting Content analysis Header analysis Javascript analysis Natural Language Understanding Sender analysis URL analysis URL screenshot Whois	/feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)	@ajpc500	4mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Evasion URL analysis Whois	/feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Link: Multistage landing - Abused Docusign	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Link: Multistage landing - Abused Google Drive	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Link: Multistage landing - Published Google Doc	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Free file host Social engineering Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8
Link: Romance/Sexual Language With Suspicious Link	Sublime Security	4mo ago Aug 22nd, 2025	Spam Social engineering Content analysis Header analysis URL analysis Whois	/feeds/core/detection-rules/link-romancesexual-language-with-suspicious-link-d5694cae
New link domain (<=10d) from untrusted sender	Sublime Security	5mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Sender analysis URL analysis Whois	/feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6
Newly registered sender or reply-to domain with newly registered linked domain	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Social engineering Header analysis URL analysis Whois	/feeds/core/detection-rules/newly-registered-sender-or-reply-to-domain-with-newly-registered-linked-domain-e5b6a81f
New sender domain (<=10d) from untrusted sender	Sublime Security	1y ago Nov 20th, 2024	Sender analysis Whois	/feeds/core/detection-rules/new-sender-domain-less10d-from-untrusted-sender-d87fa543
Recruitee Infrastructure Abuse	Sublime Security	5mo ago Jul 16th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/recruitee-infrastructure-abuse-31cab83d
Service abuse: AppSheet infrastructure with suspicious indicators	Sublime Security	2mo ago Oct 6th, 2025	Credential Phishing Evasion Social engineering Content analysis Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/service-abuse-appsheet-infrastructure-with-suspicious-indicators-5937646a
Service abuse: Google Drive share from new reply-to domain	Sublime Security	1mo ago Nov 13th, 2025	BEC/Fraud Callback Phishing Credential Phishing Free email provider Social engineering Free file host Header analysis Sender analysis Whois	/feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367
Service abuse: Random Google Firebase sender address with suspicious content	Sublime Security	25d ago Nov 26th, 2025	Spam Credential Phishing Free subdomain host Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/service-abuse-random-google-firebase-sender-address-with-suspicious-content-9f8899a9
Spam: Fake photo share	Sublime Security	1mo ago Nov 8th, 2025	Spam Evasion Social engineering Content analysis Sender analysis URL analysis Whois	/feeds/core/detection-rules/spam-fake-photo-share-eb086f7d
Spam/fraud: Predatory journal/research paper request	Sublime Security	1mo ago Nov 3rd, 2025	BEC/Fraud Spam Social engineering Impersonation: Brand Lookalike domain Evasion Natural Language Understanding Content analysis Sender analysis URL analysis Whois	/feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b
Spam: New link domain (<=10d) and emojis	Sublime Security	5mo ago Jul 16th, 2025	Spam Free email provider Content analysis Sender analysis URL analysis Whois	/feeds/core/detection-rules/spam-new-link-domain-less10d-and-emojis-33677993
Suspected lookalike domain with suspicious language	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Evasion Lookalike domain Social engineering Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0
Suspicious newly registered reply-to domain with engaging financial or urgent language	Sublime Security	5mo ago Jul 16th, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/suspicious-newly-registered-reply-to-domain-with-engaging-financial-or-urgent-language-db4d9bb3
Vendor compromise: GovDelivery message with suspicious link	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Free subdomain host IPFS Social engineering Evasion Impersonation: Brand Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/vendor-compromise-govdelivery-message-with-suspicious-link-0d2d5172
Vendor impersonation: Thread hijacking with typosquat domain	Sublime Security	1mo ago Nov 4th, 2025	BEC/Fraud Lookalike domain Social engineering Spoofing Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed
VIP impersonation: Fake thread with display name match, email mismatch	Sublime Security	1y ago Jul 29th, 2024	BEC/Fraud Evasion Impersonation: VIP Social engineering Spoofing Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28

35 Rules