Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 27th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Callback phishing: Social Security Administration fraud	Sublime Security	2mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Credential phishing: Tax form impersonation with payment request	Sublime Security	1mo ago Feb 13th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering PDF Content analysis Header analysis Sender analysis URL analysis
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis
Link: PDF display text with fake copyright claim template	Sublime Security	12d ago Mar 18th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF Content analysis HTML analysis
Link: PDF filename impersonation with credential theft language	Sublime Security	1mo ago Feb 12th, 2026	Credential Phishing Social engineering Evasion PDF Content analysis Natural Language Understanding Header analysis Sender analysis URL analysis
Link: SharePoint OneNote or PDF link with self sender behavior	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host OneNote PDF Header analysis URL analysis Sender analysis
Link: Uncommon SharePoint document type with sender's display name	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering OneNote PDF Content analysis Header analysis HTML analysis URL analysis
PDF attachment with Google (AE) redirecting to a php or zip file	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Open redirect PDF Content analysis File analysis URL analysis
Sharepoint link likely unrelated to sender	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis
Spam: Unsolicited malformed PDF	Sublime Security	8mo ago Jul 16th, 2025	Spam Evasion Free email provider PDF Content analysis File analysis Sender analysis
Stripe invoice abuse	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing PDF File analysis Header analysis
Suspicious attachment: Duplicate decoy PDF files	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion PDF File analysis Optical Character Recognition
Suspicious attachment with unscannable Cloudflare link	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding
Suspicious SharePoint file sharing	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware PDF File analysis Threat intelligence URL analysis

65 Rules

Page 2 of 2