Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	4d ago Mar 6th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot	/feeds/core/detection-rules/attachment-pdf-with-suspicious-link-and-action-oriented-language-816d33a0
Attachment: Potential sandbox evasion in Office file	@ajpc500	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Macros File analysis Macro analysis	/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment: PowerPoint with suspicious hyperlink	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Exif analysis File analysis	/feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1
Attachment: QR code link with base64-encoded recipient address	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: QR code with encoded recipient targeting and redirect indicators	Sublime Security	1mo ago Jan 30th, 2026	Credential Phishing QR code Evasion Image as content Open redirect Archive analysis File analysis QR code analysis URL analysis	/feeds/core/detection-rules/attachment-qr-code-with-encoded-recipient-targeting-and-redirect-indicators-5d51e565
Attachment: QR code with recipient targeting and special characters	Sublime Security	17d ago Feb 21st, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Computer Vision	/feeds/core/detection-rules/attachment-qr-code-with-recipient-targeting-and-special-characters-fc9e1c09
Attachment: QR code with suspicious URL patterns in EML file	Sublime Security	17d ago Feb 21st, 2026	Credential Phishing QR code Evasion Social engineering Archive analysis File analysis QR code analysis URL analysis	/feeds/core/detection-rules/attachment-qr-code-with-suspicious-url-patterns-in-eml-file-2289acd5
Attachment: QR code with userinfo portion	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	4mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7
Attachment: RTF file with suspicious link	Sublime Security	7mo ago Jul 23rd, 2025	Credential Phishing Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa
Attachment: RTF with embedded content	@amitchell516	2y ago Feb 26th, 2024	Malware/Ransomware Evasion File analysis YARA	/feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	26d ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-self-sender-pdf-with-minimal-content-and-view-prompt-07670a8c
Attachment: SFX archive containing commands	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting File analysis	/feeds/core/detection-rules/attachment-sfx-archive-containing-commands-343e6c8c
Attachment: Small text file with link containing recipient email address	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis	/feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d
Attachment: Suspicious employee policy update document lure	Sublime Security	2mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Attachment: Suspicious PDF created with headless browser	Sublime Security	5mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: SVG files with evasion elements	Sublime Security	7mo ago Aug 8th, 2025	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60
Attachment: Web files with suspicious comments	Sublime Security	7mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware HTML smuggling Evasion File analysis HTML analysis Content analysis	/feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17
Attachment: WinRAR CVE-2025-8088 exploitation	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-winrar-cve-2025-8088-exploitation-33b3a82b
Attachment with encrypted zip (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment with macro calling executable	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Macros Archive analysis File analysis	/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment: XLSX file with suspicious print titles metadata	Sublime Security	5mo ago Sep 16th, 2025	Credential Phishing Evasion Macros File analysis Exif analysis	/feeds/core/detection-rules/attachment-xlsx-file-with-suspicious-print-titles-metadata-4c265cbe
BEC with unusual reply-to or return-path mismatch	Sublime Security	7d ago Mar 3rd, 2026	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df
Benefits enrollment impersonation	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Impersonation: Employee Out of band pivot Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	3mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Body HTML: Recipient SLD in HTML class	Sublime Security	5mo ago Sep 23rd, 2025	Credential Phishing Evasion Social engineering HTML analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-html-recipient-sld-in-html-class-d395e41d
Brand impersonation: Coinbase with suspicious links	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e
Brand impersonation: DocuSign with embedded QR code	Sublime Security	4mo ago Oct 17th, 2025	Credential Phishing Evasion Image as content Impersonation: Brand QR code Computer Vision Content analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-with-embedded-qr-code-f5cde463
Brand impersonation: File sharing notification with template artifacts	Sublime Security	1mo ago Jan 23rd, 2026	Credential Phishing Impersonation: Brand Social engineering Evasion HTML analysis Computer Vision Content analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-file-sharing-notification-with-template-artifacts-37d89611
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification	Sublime Security	2mo ago Dec 10th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-logo-in-html-with-fake-quarantine-release-notification-f12c615c
Brand impersonation: Microsoft Planner with suspicious link	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Evasion Image as content Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Brand impersonation: QuickBooks notification from Intuit themed company name	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Credential Phishing BEC/Fraud Evasion Social engineering Content analysis Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4
Brand Impersonation: ShareFile	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Evasion Lookalike domain Header analysis Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-sharefile-f8330307
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	4mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Brand impersonation: Stripe notification	Sublime Security	5mo ago Sep 26th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Whois	/feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03
Brand impersonation: Zoom	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Evasion Computer Vision Content analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/brand-impersonation-zoom-5abad540
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Evasion Free email provider Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-with-masked-recipients-and-reply-to-mismatch-unsolicited-682191bf
Callback phishing: Social Security Administration fraud	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Callback phishing: SumUp infrastructure abuse	Sublime Security	6mo ago Sep 5th, 2025	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-sumup-infrastructure-abuse-1c41649e
Callback phishing via Adobe Sign comment	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Computer Vision Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-adobe-sign-comment-7eb4516d
Callback phishing via calendar invite	Sublime Security	1mo ago Jan 22nd, 2026	Callback Phishing Social engineering Evasion File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360
Callback phishing via DocuSign comment	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Computer Vision Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/callback-phishing-via-docusign-comment-48aec918
Callback phishing via Intuit service abuse	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294
Callback phishing via Zelle Service Abuse	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-via-zelle-service-abuse-08727484
Callback phishing via Zoho service abuse	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Optical Character Recognition	/feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec
Canva design with suspicious embedded link	Sublime Security	5mo ago Sep 29th, 2025	Credential Phishing Evasion Social engineering Free file host HTML analysis URL analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22
Credential phishing: Generic document sharing	Sublime Security	24d ago Feb 14th, 2026	Credential Phishing BEC/Fraud Social engineering Evasion Impersonation: Employee Content analysis Natural Language Understanding URL analysis Sender analysis	/feeds/core/detection-rules/credential-phishing-generic-document-sharing-9f0e1d2c
Credential phishing: Hyper-linked image leading to free file host	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Image as content Social engineering Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/credential-phishing-hyper-linked-image-leading-to-free-file-host-f5cb1eca

351 Rules

Page 3 of 8