Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 6th, 2026

Feed Source

GitHub

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	23h ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Attachment: Callback phishing solicitation via pdf file	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: EML containing a base64 encoded script	Sublime Security	2y ago Jan 30th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	4mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191
Attachment: EML with link to credential phishing page	Sublime Security	5mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	3mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b
Attachment: EML with suspicious indicators	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis	/feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d
Attachment: Fake attachment image lure	Sublime Security	3mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	1mo ago Nov 20th, 2025	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding	/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
BEC/Fraud: Student loan callback phishing	Sublime Security	4mo ago Sep 5th, 2025	BEC/Fraud Free email provider Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Body HTML: Recipient SLD in HTML class	Sublime Security	3mo ago Sep 23rd, 2025	Credential Phishing Evasion Social engineering HTML analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-html-recipient-sld-in-html-class-d395e41d
Brand impersonation: Adobe Sign with suspicious indicators	Sublime Security	26d ago Dec 11th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a
Brand impersonation: Booking.com	Sublime Security	2mo ago Nov 3rd, 2025	Credential Phishing Impersonation: Brand Social engineering Natural Language Understanding Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-bookingcom-d1d8882f
Brand impersonation: Capital One	Sublime Security	1mo ago Nov 17th, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-capital-one-d53848e4
Brand impersonation: DocuSign	Sublime Security	27d ago Dec 10th, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Brand impersonation: Evite	Sublime Security	2mo ago Oct 15th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-evite-9e867a2b
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains	Sublime Security	27d ago Dec 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-docusign-html-table-not-linking-to-docusign-domains-28923dde
Brand impersonation: Fake Fax	Sublime Security	1mo ago Nov 13th, 2025	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Brand impersonation: Google Drive fake file share	Sublime Security	18d ago Dec 19th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Computer Vision	/feeds/core/detection-rules/brand-impersonation-google-drive-fake-file-share-b424a941
Brand impersonation: Google using Microsoft Forms	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-google-using-microsoft-forms-1daac608
Brand impersonation: Google Workspace alert notification	Sublime Security	1mo ago Dec 2nd, 2025	Credential Phishing Impersonation: Brand Social engineering Lookalike domain Header analysis Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-google-workspace-alert-notification-143ffbc4
Brand impersonation: Greenvelope	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-greenvelope-9cbbf9b8
Brand impersonation: Mailgun	Sublime Security	3mo ago Sep 22nd, 2025	Credential Phishing BEC/Fraud Impersonation: Brand Sender analysis	/feeds/core/detection-rules/brand-impersonation-mailgun-59cc84e6
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification	Sublime Security	27d ago Dec 10th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-logo-in-html-with-fake-quarantine-release-notification-f12c615c
Brand impersonation: Microsoft (QR code)	Sublime Security	3mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a
Brand impersonation: Microsoft Teams invitation	Sublime Security	22d ago Dec 15th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Brand impersonation: Microsoft with low reputation links	Sublime Security	27d ago Dec 10th, 2025	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: Paperless Post	Sublime Security	2mo ago Nov 6th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Content analysis Header analysis HTML analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-paperless-post-e9ec5e09
Brand impersonation: Punchbowl	Sublime Security	2mo ago Oct 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-punchbowl-58937ba0
Brand impersonation: QuickBooks notification from Intuit themed company name	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Credential Phishing BEC/Fraud Evasion Social engineering Content analysis Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4
Brand impersonation: Sharepoint	Sublime Security	1mo ago Nov 24th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-sharepoint-284b1b70
Brand impersonation: Sharepoint fake file share	Sublime Security	27d ago Dec 10th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Computer Vision	/feeds/core/detection-rules/brand-impersonation-sharepoint-fake-file-share-ff8b296b
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	2mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Brand impersonation: UK government Home Office	Sublime Security	3mo ago Sep 15th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Lookalike domain Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-uk-government-home-office-f35d846a
Brand impersonation: Wells Fargo	Sublime Security	11mo ago Jan 15th, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-wells-fargo-02d7301f
Brand impersonation: Zoom	Sublime Security	3mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Callback phishing in body or attachment (untrusted sender)	Sublime Security	1mo ago Nov 19th, 2025	Callback Phishing Out of band pivot Social engineering Content analysis File analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94
Callback phishing: SumUp infrastructure abuse	Sublime Security	4mo ago Sep 5th, 2025	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-sumup-infrastructure-abuse-1c41649e
Callback phishing via Intuit service abuse	Sublime Security	4mo ago Sep 5th, 2025	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294
Callback phishing via Zelle Service Abuse	Sublime Security	4mo ago Sep 5th, 2025	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-via-zelle-service-abuse-08727484
Canva infrastructure abuse	Sublime Security	4mo ago Sep 5th, 2025	BEC/Fraud Callback Phishing Social engineering Impersonation: Brand Impersonation: Employee Free email provider Natural Language Understanding Sender analysis Content analysis	/feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c
Compensation review with QR code in attached EML	Sublime Security	1mo ago Nov 26th, 2025	Credential Phishing QR code Social engineering Computer Vision Content analysis Optical Character Recognition QR code analysis	/feeds/core/detection-rules/compensation-review-with-qr-code-in-attached-eml-98a2f03c
Credential phishing: Engaging language with IPFS link	Sublime Security	2y ago May 3rd, 2024	Credential Phishing Free file host Free subdomain host IPFS Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/credential-phishing-engaging-language-with-ipfs-link-996c4d83
Credential phishing: Fake password expiration from new and unsolicited sender	Sublime Security	3mo ago Oct 8th, 2025	Credential Phishing Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/credential-phishing-fake-password-expiration-from-new-and-unsolicited-sender-5d9c3a75
Credential phishing link (unknown sender)	Sublime Security	5mo ago Jul 16th, 2025	Credential Phishing Social engineering Computer Vision Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/credential-phishing-link-unknown-sender-a278012b
Credential phishing: Suspicious e-sign agreement document notification	Sublime Security	22d ago Dec 15th, 2025	Credential Phishing Social engineering Content analysis Header analysis HTML analysis URL analysis Sender analysis	/feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8
Credential theft: Gophish abuse with hidden tracking image	Sublime Security	2mo ago Nov 5th, 2025	Spam Evasion Image as content Content analysis HTML analysis	/feeds/core/detection-rules/credential-theft-gophish-abuse-with-hidden-tracking-image-59915ceb

110 Rules

Page 1 of 3