Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis
Attachment: PDF proposal with credential theft indicators	Sublime Security	1mo ago Mar 17th, 2026	Credential Phishing PDF Social engineering Evasion File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with a suspicious string and single URL	Sublime Security	14d ago Apr 10th, 2026	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with credential theft language and invalid reply-to domain	Sublime Security	14d ago Apr 10th, 2026	Credential Phishing PDF Social engineering Spoofing File analysis Header analysis Natural Language Understanding Content analysis
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Attachment: PDF with Microsoft Purview message impersonation	Sublime Security	5mo ago Nov 10th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Content analysis
Attachment: PDF with multistage landing - ClickUp abuse	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
Attachment: PDF with personal Microsoft OneNote URL	Sublime Security	4mo ago Dec 4th, 2025	Credential Phishing PDF Social engineering File analysis Content analysis
Attachment: PDF with recipient email in link	Sublime Security	1mo ago Mar 3rd, 2026	Credential Phishing PDF QR code Encryption Social engineering File analysis QR code analysis URL analysis
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	1mo ago Mar 6th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: PDF with suspicious view document characteristics	Sublime Security	1d ago Apr 23rd, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion File analysis YARA
Attachment: QR code link with base64-encoded recipient address	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis
Attachment: QR code with credential phishing indicators	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing QR code Social engineering Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot
Attachment: QR code with recipient targeting and special characters	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Computer Vision
Attachment: QR code with suspicious URL patterns in EML file	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Evasion Social engineering Archive analysis File analysis QR code analysis URL analysis
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	5mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	2mo ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Small text file with link containing recipient email address	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis
Attachment: Soda PDF producer with encryption themes	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing PDF Social engineering File analysis Optical Character Recognition
Attachment: Suspicious employee policy update document lure	Sublime Security	3mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: USDA bid invitation impersonation	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment with VBA macros from employee impersonation (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Impersonation: Employee Macros Social engineering Archive analysis File analysis Macro analysis Sender analysis
BEC: Employee impersonation with subject manipulation	Sublime Security	3mo ago Jan 16th, 2026	BEC/Fraud Impersonation: Employee Social engineering Content analysis Natural Language Understanding Sender analysis
BEC/Fraud: Generic scam attempt to undisclosed recipients	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
BEC/Fraud: Penpal scam	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Free email provider Social engineering Content analysis Header analysis Sender analysis
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply	Sublime Security	1mo ago Mar 11th, 2026	BEC/Fraud Social engineering Evasion Content analysis Header analysis Sender analysis
BEC/Fraud: Romance scam	Sublime Security	1mo ago Mar 9th, 2026	BEC/Fraud Free email provider Social engineering Content analysis Header analysis
BEC/Fraud: Student loan callback phishing	Sublime Security	7mo ago Sep 5th, 2025	BEC/Fraud Free email provider Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns	Sublime Security	7d ago Apr 17th, 2026	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois
BEC with unusual reply-to or return-path mismatch	Sublime Security	1mo ago Mar 3rd, 2026	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Benefits enrollment impersonation	Sublime Security	21d ago Apr 3rd, 2026	Credential Phishing Evasion Impersonation: Employee Out of band pivot Social engineering Content analysis Header analysis Sender analysis
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	4mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis
Body HTML: Recipient SLD in HTML class	Sublime Security	7mo ago Sep 23rd, 2025	Credential Phishing Evasion Social engineering HTML analysis Header analysis Sender analysis
Body: PayApp transaction reference pattern	Sublime Security	17d ago Apr 7th, 2026	Callback Phishing BEC/Fraud Impersonation: Brand Social engineering Content analysis
Body: Suspicious date format	Sublime Security	2d ago Apr 22nd, 2026	Credential Phishing Evasion Spoofing Social engineering Content analysis
Brand impersonation: AARP	Sublime Security	4mo ago Dec 1st, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis
Brand impersonation: Adobe Sign with suspicious indicators	Sublime Security	3mo ago Jan 8th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis HTML analysis Sender analysis
Brand impersonation: Adobe with suspicious language and link	Sublime Security	5mo ago Nov 24th, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Sender analysis
Brand impersonation: ADP	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Header analysis Sender analysis
Brand impersonation: AliExpress	Sublime Security	8mo ago Aug 5th, 2025	Callback Phishing Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis URL analysis
Brand impersonation: Amazon	Sublime Security	2mo ago Feb 13th, 2026	Credential Phishing Impersonation: Brand Social engineering Header analysis Sender analysis
Brand impersonation: Amazon Web Services (AWS)	Sublime Security	6mo ago Oct 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Optical Character Recognition Sender analysis Natural Language Understanding
Brand impersonation: Amazon with suspicious attachment	Sublime Security	10d ago Apr 14th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Brand impersonation: American Express (AMEX)	Sublime Security	2mo ago Feb 17th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Header analysis Sender analysis
Brand impersonation: Apple	Sublime Security	3y ago Aug 21st, 2023	Credential Phishing Impersonation: Brand Social engineering Header analysis Sender analysis
Brand impersonation: Aquent	Sublime Security	6mo ago Oct 9th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis
Brand impersonation: Aramco	Sublime Security	2mo ago Jan 28th, 2026	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis
Brand impersonation: AuthentiSign	Sublime Security	3mo ago Jan 21st, 2026	Credential Phishing BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Sender analysis
Brand impersonation: Bank of America	Sublime Security	24d ago Mar 31st, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Header analysis Sender analysis

563 Rules

Page 2 of 12