Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jun 29th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: PDF with ReportLab library and default metadata	Sublime Security	4mo ago Feb 27th, 2026	Credential Phishing PDF Evasion File analysis Exif analysis
Attachment: PDF With SAI Global ISO9001 Logo	Sublime Security	2mo ago Apr 15th, 2026	Credential Phishing Impersonation: Brand PDF File analysis YARA
Attachment: PDF with self-service platform links with self sender or blank recipients	Sublime Security	20d ago Jun 10th, 2026	BEC/Fraud Credential Phishing PDF Evasion Free file host File analysis Exif analysis URL analysis Sender analysis
Attachment: PDF with specific author metadata	Sublime Security	29d ago Jun 1st, 2026	Credential Phishing PDF Exif analysis File analysis
Attachment: PDF with split QR code	Sublime Security	2mo ago Apr 15th, 2026	Credential Phishing Evasion PDF QR code File analysis YARA QR code analysis
Attachment: PDF with suspicious HeadlessChrome metadata	Sublime Security	1mo ago May 1st, 2026	Credential Phishing Malware/Ransomware Evasion PDF File analysis Exif analysis
Attachment: PDF with suspicious internal object reference identifier	Sublime Security	18h ago Jun 29th, 2026	BEC/Fraud PDF Content analysis File analysis
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	5mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	1mo ago May 18th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: PDF with suspicious view document characteristics	Sublime Security	2mo ago Apr 23rd, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion File analysis YARA
Attachment: PDF with W-9 form indicators	Sublime Security	4d ago Jun 26th, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand YARA File analysis Content analysis
Attachment: QR code link with base64-encoded recipient address	Sublime Security	2mo ago Apr 29th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis
Attachment: QR code with userinfo portion	Sublime Security	2mo ago Apr 30th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	4mo ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Soda PDF producer with encryption themes	Sublime Security	10mo ago Aug 5th, 2025	Credential Phishing PDF Social engineering File analysis Optical Character Recognition
Attachment: Suspicious employee policy update document lure	Sublime Security	6mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Suspicious PDF created with headless browser	Sublime Security	1mo ago May 7th, 2026	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: USDA bid invitation impersonation	Sublime Security	10mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Brand impersonation: Adobe Acrobat Sign PDF phishing file format template	Sublime Security	29d ago Jun 1st, 2026	Credential Phishing Impersonation: Brand PDF Computer Vision Optical Character Recognition File analysis
Brand impersonation: Adobe (QR code)	Sublime Security	2mo ago Apr 20th, 2026	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	8mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis
Brand impersonation: DocuSign (QR code)	Sublime Security	8mo ago Oct 15th, 2025	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies	Sublime Security	5d ago Jun 25th, 2026	BEC/Fraud Impersonation: Brand PDF Social engineering Image as content Optical Character Recognition File analysis Content analysis
Brand Impersonation: Google (QR Code)	Sublime Security	8mo ago Oct 17th, 2025	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: Microsoft (QR code)	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	1mo ago May 4th, 2026	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois
Callback phishing: Social Security Administration fraud	Sublime Security	5mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Credential phishing: Tax form impersonation with payment request	Sublime Security	4mo ago Feb 13th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering PDF Content analysis Header analysis Sender analysis URL analysis
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis
Link: PDF display text with fake copyright claim template	Sublime Security	3mo ago Mar 18th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF Content analysis HTML analysis
Link: PDF file disguised as HTML page	Sublime Security	25d ago Jun 5th, 2026	Credential Phishing Malware/Ransomware Evasion PDF URL analysis Content analysis
Link: PDF filename impersonation with credential theft language	Sublime Security	4mo ago Feb 12th, 2026	Credential Phishing Social engineering Evasion PDF Content analysis Natural Language Understanding Header analysis Sender analysis URL analysis
Link: SharePoint OneNote or PDF link with self sender behavior	Sublime Security	4mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host OneNote PDF Header analysis URL analysis Sender analysis
Link: Uncommon SharePoint document type with sender's display name	Sublime Security	10mo ago Aug 5th, 2025	Credential Phishing Social engineering OneNote PDF Content analysis Header analysis HTML analysis URL analysis
PDF attachment with Google (AE) redirecting to a php or zip file	Sublime Security	5mo ago Jan 12th, 2026	Malware/Ransomware Open redirect PDF Content analysis File analysis URL analysis
Sharepoint link likely unrelated to sender	Sublime Security	5mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis
Spam: Unsolicited malformed PDF	Sublime Security	11mo ago Jul 16th, 2025	Spam Evasion Free email provider PDF Content analysis File analysis Sender analysis
Stripe invoice abuse	Sublime Security	5mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing PDF File analysis Header analysis
Suspicious attachment: Duplicate decoy PDF files	Sublime Security	10mo ago Aug 5th, 2025	Credential Phishing Evasion PDF File analysis Optical Character Recognition
Suspicious attachment with unscannable Cloudflare link	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding
Suspicious SharePoint file sharing	Sublime Security	10mo ago Aug 5th, 2025	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)	Sublime Security	5mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware PDF File analysis Threat intelligence URL analysis

93 Rules

Page 2 of 2