Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 6th, 2026

Feed Source

GitHub

Rule Name & Severity	Author	Last Updated	Labels
Anthropic Magic String in HTML	Sublime Security	27d ago Feb 9th, 2026	Malware/Ransomware Exploit Content analysis	/feeds/core/detection-rules/anthropic-magic-string-in-html-d860c6a8
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	2mo ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Attachment: Callback phishing solicitation via pdf file	Sublime Security	7mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: EML containing a base64 encoded script	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	6mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191
Attachment: EML with link to credential phishing page	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	5mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b
Attachment: EML with suspicious indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis	/feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d
Attachment: Fake attachment image lure	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding	/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
BEC/Fraud: Student loan callback phishing	Sublime Security	6mo ago Sep 5th, 2025	BEC/Fraud Free email provider Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	3mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Body HTML: Recipient SLD in HTML class	Sublime Security	5mo ago Sep 23rd, 2025	Credential Phishing Evasion Social engineering HTML analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-html-recipient-sld-in-html-class-d395e41d
Brand impersonation: Adobe Sign with suspicious indicators	Sublime Security	1mo ago Jan 8th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-sign-with-suspicious-indicators-704d143a
Brand impersonation: Booking.com	Sublime Security	4mo ago Nov 3rd, 2025	Credential Phishing Impersonation: Brand Social engineering Natural Language Understanding Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-bookingcom-d1d8882f
Brand impersonation: Capital One	Sublime Security	3mo ago Nov 17th, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Computer Vision Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-capital-one-d53848e4
Brand impersonation: DocuSign	Sublime Security	12d ago Feb 24th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Brand impersonation: Dropbox	Sublime Security	24d ago Feb 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-dropbox-61f11d12
Brand impersonation: Evite	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-evite-9e867a2b
Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains	Sublime Security	2mo ago Dec 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-docusign-html-table-not-linking-to-docusign-domains-28923dde
Brand impersonation: Fake Fax	Sublime Security	1mo ago Feb 5th, 2026	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Brand impersonation: File sharing notification with template artifacts	Sublime Security	1mo ago Jan 23rd, 2026	Credential Phishing Impersonation: Brand Social engineering Evasion HTML analysis Computer Vision Content analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611
Brand impersonation: Google Drive fake file share	Sublime Security	2mo ago Dec 19th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Computer Vision	/feeds/core/detection-rules/brand-impersonation-google-drive-fake-file-share-b424a941
Brand impersonation: Google Meet with malicious link	Sublime Security	24d ago Feb 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-google-meet-with-malicious-link-d488d85a
Brand impersonation: Google using Microsoft Forms	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-google-using-microsoft-forms-1daac608
Brand impersonation: Google Workspace alert notification	Sublime Security	3mo ago Dec 2nd, 2025	Credential Phishing Impersonation: Brand Social engineering Lookalike domain Header analysis Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-google-workspace-alert-notification-143ffbc4
Brand impersonation: Greenvelope	Sublime Security	3mo ago Dec 1st, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-greenvelope-9cbbf9b8
Brand impersonation: Mailgun	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing BEC/Fraud Impersonation: Brand Sender analysis	/feeds/core/detection-rules/brand-impersonation-mailgun-59cc84e6
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification	Sublime Security	2mo ago Dec 10th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-logo-in-html-with-fake-quarantine-release-notification-f12c615c
Brand impersonation: Microsoft (QR code)	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a
Brand impersonation: Microsoft Teams invitation	Sublime Security	30d ago Feb 6th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8
Brand impersonation: Microsoft with low reputation links	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: Paperless Post	Sublime Security	4mo ago Nov 6th, 2025	Credential Phishing Malware/Ransomware Impersonation: Brand Content analysis Header analysis HTML analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-paperless-post-e9ec5e09
Brand impersonation: Punchbowl	Sublime Security	23d ago Feb 13th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-punchbowl-58937ba0
Brand impersonation: QuickBooks notification from Intuit themed company name	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Credential Phishing BEC/Fraud Evasion Social engineering Content analysis Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4
Brand impersonation: Sharepoint	Sublime Security	1mo ago Jan 10th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-sharepoint-284b1b70
Brand impersonation: Sharepoint fake file share	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Computer Vision	/feeds/core/detection-rules/brand-impersonation-sharepoint-fake-file-share-ff8b296b
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	4mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Brand impersonation: UK government Home Office	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Lookalike domain Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-uk-government-home-office-f35d846a
Brand impersonation: USPS	Sublime Security	23d ago Feb 13th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Brand impersonation: Wells Fargo	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-wells-fargo-02d7301f
Brand impersonation: Zoom	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Brand impersonation: Zoom via HTML styling	Sublime Security	9d ago Feb 27th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis HTML analysis	/feeds/core/detection-rules/brand-impersonation-zoom-via-html-styling-b717920d
Callback phishing: AOL senders with suspicious HTML template or PDF attachment	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Free email provider Social engineering Content analysis Header analysis File analysis HTML analysis Exif analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Callback phishing in body or attachment (untrusted sender)	Sublime Security	1mo ago Jan 22nd, 2026	Callback Phishing Out of band pivot Social engineering Content analysis File analysis Optical Character Recognition Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94
Callback phishing: SumUp infrastructure abuse	Sublime Security	6mo ago Sep 5th, 2025	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-sumup-infrastructure-abuse-1c41649e
Callback phishing via Intuit service abuse	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294
Callback phishing via Zelle Service Abuse	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-via-zelle-service-abuse-08727484
Canva infrastructure abuse	Sublime Security	30d ago Feb 6th, 2026	BEC/Fraud Callback Phishing Social engineering Impersonation: Brand Impersonation: Employee Free email provider Natural Language Understanding Sender analysis Content analysis	/feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c

122 Rules

Page 1 of 3