Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with atob and high entropy via calendar invite	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis
Attachment: HTML smuggling with base64 encoded ZIP file	Sublime Security	5mo ago Nov 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with concatenation obfuscation	@vector_sec	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with decimal encoding	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with embedded base64-encoded executable	Sublime Security	2y ago Mar 25th, 2024	Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis HTML analysis YARA
Attachment: HTML smuggling with embedded base64-encoded ISO	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling ISO Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: HTML smuggling with eval and atob	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with eval and atob via calendar invite	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns	Sublime Security	2y ago Aug 27th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with fromCharCode and other signals	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML smuggling with hex strings	@ajpc500	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with high entropy and other signals	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with raw array buffer	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Free subdomain host HTML smuggling Archive analysis Content analysis File analysis Javascript analysis
Attachment: HTML smuggling with RC4 decryption	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with ROT13	@Kyle_Parrish_	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML smuggling with setTimeout	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with unescape	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis
Attachment: HTML with emoji-to-character map	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion HTML smuggling Impersonation: Brand Scripting Social engineering File analysis HTML analysis Javascript analysis Sender analysis
Attachment: HTML with hidden body	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Scripting Content analysis HTML analysis File analysis
Attachment: HTML with JavaScript functions for HTTP requests	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Evasion Scripting Content analysis HTML analysis Javascript analysis File analysis
Attachment: ICS calendar file with QR code containing recipient email address	Sublime Security	4d ago Apr 20th, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Content analysis
Attachment: ICS calendar with embedded file from internal sender with SPF failure	Sublime Security	6mo ago Oct 22nd, 2025	Credential Phishing Spoofing Evasion File analysis Header analysis Sender analysis
Attachment: ICS file with AWS Lambda URL	Sublime Security	23d ago Apr 1st, 2026	Credential Phishing Malware/Ransomware Evasion Free file host Content analysis File analysis URL analysis
Attachment: ICS file with excessive custom properties	Sublime Security	1mo ago Mar 17th, 2026	Malware/Ransomware Evasion File analysis Content analysis
Attachment: ICS file with non-Gregorian calendar scale	Sublime Security	5mo ago Nov 4th, 2025	Credential Phishing Evasion File analysis Content analysis
Attachment: ICS with embedded document	Sublime Security	7mo ago Sep 22nd, 2025	Malware/Ransomware Evasion File analysis
Attachment: ICS with embedded Javascript in SVG file	Sublime Security	2mo ago Jan 29th, 2026	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis
Attachment: ICS with employee policy review lure	Sublime Security	1mo ago Mar 16th, 2026	Credential Phishing BEC/Fraud Evasion Social engineering File analysis Content analysis
Attachment: JavaScript file with suspicious base64-encoded executable	Sublime Security	2y ago Apr 1st, 2024	Malware/Ransomware Evasion Scripting Archive analysis File analysis YARA
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	21d ago Apr 3rd, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: Link file with UNC path	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion LNK File analysis
Attachment: Link to Doubleclick.net open redirect	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Evasion Open redirect Social engineering Content analysis File analysis URL analysis
Attachment: Macro files containing MHT content	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion Macros Scripting Archive analysis File analysis Macro analysis
Attachment: Malformed OLE file	Sublime Security	2y ago Nov 25th, 2024	Credential Phishing Malware/Ransomware Evasion File analysis YARA
Attachment: MSI installer file	@ajpc500	8mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK	Sublime Security	2mo ago Jan 28th, 2026	Malware/Ransomware Evasion File analysis YARA
Attachment: Office file contains OLE relationship to credential phishing page	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis HTML analysis Natural Language Understanding OLE analysis URL analysis
Attachment: Office file with credential phishing URLs	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis Archive analysis Content analysis
Attachment: Office file with document sharing and browser instruction lures	Sublime Security	2mo ago Jan 29th, 2026	Credential Phishing Social engineering Evasion Archive analysis File analysis Macro analysis Optical Character Recognition Content analysis
Attachment: Office file with suspicious function calls or downloaded file path	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis
Attachment: OLE external relationship containing file scheme link to executable filetype	Sublime Security	5mo ago Nov 24th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis
Attachment: OLE external relationship containing file scheme link to IP address	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis
Attachment: Password-protected PDF with fake document indicators	Sublime Security	3mo ago Jan 21st, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF File analysis YARA Exif analysis
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis
Attachment: PDF generated with wkhtmltopdf tool and default title	Sublime Security	4mo ago Dec 19th, 2025	BEC/Fraud Callback Phishing Credential Phishing Malware/Ransomware PDF Evasion File analysis Exif analysis
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification	Sublime Security	1mo ago Mar 2nd, 2026	Malware/Ransomware PDF Evasion File analysis Threat intelligence

391 Rules

Page 2 of 8