Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure	Sublime Security	18d ago Apr 6th, 2026	Credential Phishing Impersonation: Brand Evasion Social engineering URL analysis
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD	Sublime Security	10d ago Apr 14th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Archive containing HTML file with file scheme link	Sublime Security	1mo ago Mar 17th, 2026	Credential Phishing Evasion Exploit HTML smuggling Social engineering Archive analysis File analysis HTML analysis
Attachment: Calendar invite from recently registered domain	Sublime Security	7mo ago Sep 25th, 2025	Callback Phishing Evasion Social engineering File analysis Whois
Attachment: Calendar invite with Google redirect and invoice request	Sublime Security	16d ago Apr 8th, 2026	Credential Phishing BEC/Fraud Open redirect Social engineering File analysis Natural Language Understanding URL analysis
Attachment: Callback phishing solicitation via image file	@vector_sec	3mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision
Attachment: Callback phishing solicitation via pdf file	Sublime Security	8mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Attachment: Callback phishing solicitation via text-based file	Sublime Security	7mo ago Sep 22nd, 2025	Callback Phishing Evasion Out of band pivot Social engineering Content analysis File analysis Header analysis Sender analysis
Attachment: Cold outreach with invitation subject and not attachment	Sublime Security	21d ago Apr 3rd, 2026	Spam Social engineering Image as content Content analysis Natural Language Understanding File analysis
Attachment: Compensation review lure with QR code	Sublime Security	10d ago Apr 14th, 2026	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis
Attachment: Credit card application with WhatsApp contact	Sublime Security	5mo ago Nov 20th, 2025	BEC/Fraud Social engineering Out of band pivot Content analysis File analysis Natural Language Understanding QR code analysis
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois
Attachment: DOCX with hyperlink targeting recipient address	Sublime Security	4mo ago Dec 17th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering File analysis Archive analysis XML analysis
Attachment: Dropbox image lure with no Dropbox domains in links	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis
Attachment: EML containing a base64 encoded script	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis
Attachment: EML with link to credential phishing page	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot
Attachment: EML with SharePoint files shared from GoDaddy federated tenants	Sublime Security	7mo ago Sep 23rd, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering File analysis URL analysis Content analysis
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	7mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis
Attachment: EML with suspicious indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis
Attachment: Employment contract update with suspicious file naming	Sublime Security	2mo ago Jan 28th, 2026	Malware/Ransomware Evasion Social engineering Content analysis File analysis
Attachment: Encrypted PDF with credential theft body	Sublime Security	15d ago Apr 9th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Encrypted zip file with payment-related lure	Sublime Security	5mo ago Nov 25th, 2025	BEC/Fraud Malware/Ransomware Encryption Evasion Social engineering Archive analysis Content analysis File analysis
Attachment: Excel file with document sharing lure created by Go Excelize	Sublime Security	2mo ago Jan 29th, 2026	Credential Phishing Macros Social engineering File analysis Macro analysis Content analysis Exif analysis
Attachment: Fake attachment image lure	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition
Attachment: Fake lawyer & sports agent identities	Sublime Security	2mo ago Jan 26th, 2026	BEC/Fraud Impersonation: VIP Social engineering Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: Fake scan-to-email	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Fake secure message and suspicious indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Fake Slack installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fake voicemail via PDF	Sublime Security	10d ago Apr 14th, 2026	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis
Attachment: Fake Zoom installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	7mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis
Attachment: HTML smuggling Microsoft sign in	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis
Attachment: HTML smuggling with embedded base64 streamed file download	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware HTML smuggling Scripting Social engineering Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns	Sublime Security	2y ago Aug 27th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Javascript analysis
Attachment: HTML with emoji-to-character map	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion HTML smuggling Impersonation: Brand Scripting Social engineering File analysis HTML analysis Javascript analysis Sender analysis
Attachment: ICS calendar file with QR code containing recipient email address	Sublime Security	4d ago Apr 20th, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Content analysis
Attachment: ICS calendar file with recipient address in UID field	Sublime Security	4d ago Apr 20th, 2026	Credential Phishing Social engineering File analysis Content analysis
Attachment: ICS file with links to newly registered domains	Sublime Security	4d ago Apr 20th, 2026	Credential Phishing Social engineering File analysis URL analysis Whois
Attachment: ICS file with meeting prefix	Sublime Security	2mo ago Jan 26th, 2026	BEC/Fraud Credential Phishing Social engineering File analysis Header analysis
Attachment: ICS with employee policy review lure	Sublime Security	1mo ago Mar 16th, 2026	Credential Phishing BEC/Fraud Evasion Social engineering File analysis Content analysis
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	3mo ago Jan 21st, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	21d ago Apr 3rd, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: Link to Doubleclick.net open redirect	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Evasion Open redirect Social engineering Content analysis File analysis URL analysis
Attachment: Microsoft 365 credential phishing	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis File analysis Header analysis Optical Character Recognition Sender analysis
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Office file contains OLE relationship to credential phishing page	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis HTML analysis Natural Language Understanding OLE analysis URL analysis
Attachment: Office file with credential phishing URLs	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis Archive analysis Content analysis
Attachment: Office file with document sharing and browser instruction lures	Sublime Security	2mo ago Jan 29th, 2026	Credential Phishing Social engineering Evasion Archive analysis File analysis Macro analysis Optical Character Recognition Content analysis
Attachment: PDF bid/proposal lure with credential theft indicators	Sublime Security	28d ago Mar 27th, 2026	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Attachment: PDF contains W9 or invoice YARA signatures	Sublime Security	1mo ago Mar 18th, 2026	BEC/Fraud Credential Phishing PDF Social engineering File analysis YARA

564 Rules

Page 1 of 12