Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Archive contains DLL-loading macro	Sublime Security	3y ago Dec 28th, 2023	Malware/Ransomware Exploit LNK Macros Scripting Archive analysis File analysis Macro analysis YARA
Attachment: Archive with embedded EXE file	Sublime Security	2y ago Feb 27th, 2024	Malware/Ransomware Evasion Archive analysis File analysis YARA
Attachment: DocX embedded binary	Sublime Security	8mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis YARA
Attachment: EML with Encrypted ZIP	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Archive analysis File analysis YARA
Attachment: HTML file with excessive padding and suspicious patterns	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling File analysis HTML analysis YARA
Attachment: HTML file with reference to recipient and suspicious patterns	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA
Attachment: HTML smuggling with embedded base64-encoded executable	Sublime Security	2y ago Mar 25th, 2024	Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis HTML analysis YARA
Attachment: JavaScript file with suspicious base64-encoded executable	Sublime Security	2y ago Apr 1st, 2024	Malware/Ransomware Evasion Scripting Archive analysis File analysis YARA
Attachment: Malformed OLE file	Sublime Security	2y ago Nov 25th, 2024	Credential Phishing Malware/Ransomware Evasion File analysis YARA
Attachment: Malicious OneNote commands	@Kyle_Parrish_	3mo ago Jan 12th, 2026	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK	Sublime Security	2mo ago Jan 28th, 2026	Malware/Ransomware Evasion File analysis YARA
Attachment: Password-protected PDF with fake document indicators	Sublime Security	3mo ago Jan 21st, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF File analysis YARA Exif analysis
Attachment: PDF contains W9 or invoice YARA signatures	Sublime Security	1mo ago Mar 18th, 2026	BEC/Fraud Credential Phishing PDF Social engineering File analysis YARA
Attachment: PDF with CVE-2026-34621 lures	Sublime Security	2d ago Apr 22nd, 2026	Malware/Ransomware PDF File analysis YARA
Attachment: PDF with JSFck obfuscation	Sublime Security	2d ago Apr 22nd, 2026	Malware/Ransomware Evasion PDF File analysis YARA
Attachment: PDF With SAI Global ISO9001 Logo	Sublime Security	9d ago Apr 15th, 2026	Credential Phishing Impersonation: Brand PDF File analysis YARA
Attachment: PDF with split QR code	Sublime Security	9d ago Apr 15th, 2026	Credential Phishing Evasion PDF QR code File analysis YARA QR code analysis
Attachment: PDF with suspicious view document characteristics	Sublime Security	1d ago Apr 23rd, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion File analysis YARA
Attachment: RTF with embedded content	@amitchell516	2y ago Feb 26th, 2024	Malware/Ransomware Evasion File analysis YARA
Attachment: WinRAR CVE-2025-8088 exploitation	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA
Attachment: ZIP file with CVE-2026-0866 exploit	Sublime Security	1mo ago Mar 20th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA
Encrypted Microsoft Office files from untrusted sender	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis
Link to auto-downloaded disk image in encrypted zip	@ajpc500	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-downloaded DMG in encrypted zip	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA

26 Rules