Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: Office document with VSTO add-in	@vector_sec	1mo ago Jan 12th, 2026	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: Office file with suspicious function calls or downloaded file path	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969
Attachment: PowerPoint with suspicious hyperlink	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Exif analysis File analysis	/feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1
Attachment: PowerShell content	@ajpc500	7mo ago Aug 5th, 2025	Malware/Ransomware Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-powershell-content-c12566db
Attachment: SFX archive containing commands	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting File analysis	/feeds/core/detection-rules/attachment-sfx-archive-containing-commands-343e6c8c
Attachment: SVG file execution	Sublime Security	7mo ago Aug 8th, 2025	Malware/Ransomware Scripting Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-svg-file-execution-084b0cde
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Exploit HTML smuggling Scripting Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/cve-2023-5631-roundcube-webmail-xss-via-crafted-svg-8405d61b
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation	Sublime Security	4mo ago Oct 17th, 2025	BEC/Fraud Credential Phishing Evasion Social engineering Scripting Content analysis HTML analysis	/feeds/core/detection-rules/html-bidirectional-bidi-html-override-with-right-to-left-obfuscation-f93940d2
HTML smuggling containing recipient email address	Sublime Security	4mo ago Nov 4th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Link: Cryptocurrency fraud with suspicious links	Sublime Security	3mo ago Dec 1st, 2025	BEC/Fraud Social engineering Evasion Free subdomain host Scripting Content analysis Header analysis Javascript analysis Natural Language Understanding Sender analysis URL analysis URL screenshot Whois	/feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce
Link: JavaScript obfuscation with Telegram bot integration	Sublime Security	13d ago Feb 25th, 2026	Credential Phishing Evasion Scripting Content analysis Javascript analysis URL analysis	/feeds/core/detection-rules/link-javascript-obfuscation-with-telegram-bot-integration-032a4485
Mass campaign: Cross Site Scripting (XSS) attempt	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Spam Exploit Free email provider Scripting Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/mass-campaign-cross-site-scripting-xss-attempt-6cbb7124
Suspected cross-site scripting (XSS) found in subject	Sublime Security	6mo ago Sep 4th, 2025	Credential Phishing Evasion Scripting Content analysis Sender analysis	/feeds/core/detection-rules/suspected-cross-site-scripting-xss-found-in-subject-8a946cfa
Suspected WordPress abuse with cross-site scripting (XSS) indicators	Sublime Security	7mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Scripting Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/suspected-wordpress-abuse-with-cross-site-scripting-xss-indicators-9c21225b

65 Rules

Page 2 of 2