Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 24th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: PDF proposal with credential theft indicators	Sublime Security	1mo ago Mar 17th, 2026	Credential Phishing PDF Social engineering Evasion File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with a suspicious string and single URL	Sublime Security	14d ago Apr 10th, 2026	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with JSFck obfuscation	Sublime Security	2d ago Apr 22nd, 2026	Malware/Ransomware Evasion PDF File analysis YARA
Attachment: PDF with link to DMG file download	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with link to zip containing a wsf file	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with multistage landing - ClickUp abuse	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
Attachment: PDF with password in filename matching body text	Sublime Security	2mo ago Feb 19th, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF Content analysis File analysis
Attachment: PDF with ReportLab library and default metadata	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing PDF Evasion File analysis Exif analysis
Attachment: PDF with split QR code	Sublime Security	9d ago Apr 15th, 2026	Credential Phishing Evasion PDF QR code File analysis YARA QR code analysis
Attachment: PDF with suspicious HeadlessChrome metadata	Sublime Security	3mo ago Jan 8th, 2026	Credential Phishing Malware/Ransomware Evasion PDF File analysis Exif analysis
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	1mo ago Mar 6th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: PDF with suspicious view document characteristics	Sublime Security	1d ago Apr 23rd, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion File analysis YARA
Attachment: Potential sandbox evasion in Office file	@ajpc500	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Macros File analysis Macro analysis
Attachment: PowerPoint with suspicious hyperlink	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Exif analysis File analysis
Attachment: QR code link with base64-encoded recipient address	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis
Attachment: QR code with encoded recipient targeting and redirect indicators	Sublime Security	2mo ago Jan 30th, 2026	Credential Phishing QR code Evasion Image as content Open redirect Archive analysis File analysis QR code analysis URL analysis
Attachment: QR code with recipient targeting and special characters	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Social engineering Evasion File analysis QR code analysis URL analysis Computer Vision
Attachment: QR code with suspicious URL patterns in EML file	Sublime Security	2mo ago Feb 21st, 2026	Credential Phishing QR code Evasion Social engineering Archive analysis File analysis QR code analysis URL analysis
Attachment: QR code with userinfo portion	Sublime Security	1d ago Apr 23rd, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	5mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: RTF file with suspicious link	Sublime Security	9mo ago Jul 23rd, 2025	Credential Phishing Evasion Archive analysis File analysis Sender analysis URL analysis
Attachment: RTF with embedded content	@amitchell516	2y ago Feb 26th, 2024	Malware/Ransomware Evasion File analysis YARA
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	2mo ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: SFX archive containing commands	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting File analysis
Attachment: Small text file with link containing recipient email address	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis URL analysis
Attachment: Suspicious employee policy update document lure	Sublime Security	3mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Suspicious PDF created with headless browser	Sublime Security	7mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: SVG files with evasion elements	Sublime Security	8mo ago Aug 8th, 2025	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis
Attachment: TAR file with RAR type	Sublime Security	1h ago Apr 24th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Web files with suspicious comments	Sublime Security	8mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware HTML smuggling Evasion File analysis HTML analysis Content analysis
Attachment: WinRAR CVE-2025-8088 exploitation	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA
Attachment with encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis
Attachment with macro calling executable	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Evasion Macros Archive analysis File analysis
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA
Attachment: XLSX file with suspicious print titles metadata	Sublime Security	7mo ago Sep 16th, 2025	Credential Phishing Evasion Macros File analysis Exif analysis
Attachment: ZIP file with CVE-2026-0866 exploit	Sublime Security	1mo ago Mar 20th, 2026	Malware/Ransomware Exploit Evasion Archive analysis File analysis YARA
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply	Sublime Security	1mo ago Mar 11th, 2026	BEC/Fraud Social engineering Evasion Content analysis Header analysis Sender analysis
BEC with unusual reply-to or return-path mismatch	Sublime Security	1mo ago Mar 3rd, 2026	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Benefits enrollment impersonation	Sublime Security	21d ago Apr 3rd, 2026	Credential Phishing Evasion Impersonation: Employee Out of band pivot Social engineering Content analysis Header analysis Sender analysis
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	4mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis
Body HTML: Comment with 24-character hex token	Sublime Security	1mo ago Mar 17th, 2026	Spam Evasion Content analysis HTML analysis
Body HTML: Recipient SLD in HTML class	Sublime Security	7mo ago Sep 23rd, 2025	Credential Phishing Evasion Social engineering HTML analysis Header analysis Sender analysis
Body: Suspicious date format	Sublime Security	2d ago Apr 22nd, 2026	Credential Phishing Evasion Spoofing Social engineering Content analysis
Brand impersonation: Coinbase with suspicious links	Sublime Security	7mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis
Brand impersonation: DocuSign with embedded QR code	Sublime Security	6mo ago Oct 17th, 2025	Credential Phishing Evasion Image as content Impersonation: Brand QR code Computer Vision Content analysis QR code analysis Sender analysis
Brand impersonation: File sharing notification with template artifacts	Sublime Security	3mo ago Jan 23rd, 2026	Credential Phishing Impersonation: Brand Social engineering Evasion HTML analysis Computer Vision Content analysis Header analysis
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification	Sublime Security	4mo ago Dec 10th, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis HTML analysis Sender analysis
Brand impersonation: Microsoft Planner with suspicious link	Sublime Security	2mo ago Feb 6th, 2026	Credential Phishing Evasion Image as content Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis
Brand impersonation: QuickBooks notification from Intuit themed company name	Sublime Security	3mo ago Jan 12th, 2026	Callback Phishing Credential Phishing BEC/Fraud Evasion Social engineering Content analysis Sender analysis Header analysis

392 Rules

Page 3 of 8