Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Dec 19th, 2025

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Link: Recipient domain in URL path	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Lookalike domain Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-recipient-domain-in-url-path-de08731f
Link to a domain with punycode characters	@ajpc500	1mo ago Nov 12th, 2025	Credential Phishing Evasion Lookalike domain Punycode Sender analysis URL analysis	/feeds/core/detection-rules/link-to-a-domain-with-punycode-characters-74b3698c
Lookalike sender domain (untrusted sender)	Sublime Security	5mo ago Jul 16th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Lookalike domain Social engineering Sender analysis	/feeds/core/detection-rules/lookalike-sender-domain-untrusted-sender-67721993
Punycode sender domain	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Lookalike domain Punycode Social engineering Sender analysis	/feeds/core/detection-rules/punycode-sender-domain-bc3d8db5
Sharepoint link likely unrelated to sender	Sublime Security	3mo ago Sep 19th, 2025	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis	/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Spam/fraud: Predatory journal/research paper request	Sublime Security	1mo ago Nov 3rd, 2025	BEC/Fraud Spam Social engineering Impersonation: Brand Lookalike domain Evasion Natural Language Understanding Content analysis Sender analysis URL analysis Whois	/feeds/core/detection-rules/spamfraud-predatory-journalresearch-paper-request-263ca56b
Suspected lookalike domain with suspicious language	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Evasion Lookalike domain Social engineering Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0
Vendor impersonation: Thread hijacking with typosquat domain	Sublime Security	1mo ago Nov 4th, 2025	BEC/Fraud Lookalike domain Social engineering Spoofing Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed

58 Rules

Page 2 of 2