Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jan 23rd, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Fake Zoho Sign template abuse	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Open redirect Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/fake-zoho-sign-template-abuse-785fd0d5
Fake Zoom meeting invite with suspicious link	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing Impersonation: Brand Evasion Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/fake-zoom-meeting-invite-with-suspicious-link-aba95f23
Generic service abuse from newly registered domain	Sublime Security	5mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Evasion Social engineering Header analysis Sender analysis Whois	/feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5
Google Drive direct download link from unsolicited sender	Sublime Security	6mo ago Jul 16th, 2025	Malware/Ransomware Credential Phishing Evasion Social engineering Free file host URL analysis Sender analysis Content analysis	/feeds/core/detection-rules/google-drive-direct-download-link-from-unsolicited-sender-78a19343
Google presentation open redirect phishing	Sublime Security	1mo ago Dec 11th, 2025	Credential Phishing Evasion Open redirect Social engineering URL analysis HTML analysis	/feeds/core/detection-rules/google-presentation-open-redirect-phishing-5d01ee3a
Google services using g.co shortlinks	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Free email provider Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/google-services-using-gco-shortlinks-09ff8a73
Hardbacon infrastructure abuse	Sublime Security	2y ago Dec 20th, 2024	Credential Phishing Evasion Impersonation: Brand Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/hardbacon-infrastructure-abuse-5330db42
Headers: Invalid recipient domain with mismatched reply-to from new sender	Sublime Security	2mo ago Nov 21st, 2025	BEC/Fraud Credential Phishing Spam Evasion Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/headers-invalid-recipient-domain-with-mismatched-reply-to-from-new-sender-f375ded1
Headers: iOS/iPadOS mailer with invalid build number	Sublime Security	3y ago Aug 17th, 2023	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Header analysis	/feeds/core/detection-rules/headers-iosipados-mailer-with-invalid-build-number-e0b74072
Headers: Outlook Express mailer	Sublime Security	2mo ago Nov 6th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Spoofing Header analysis	/feeds/core/detection-rules/headers-outlook-express-mailer-b7a698de
HR impersonation via e-sign agreement comment	Sublime Security	11d ago Jan 12th, 2026	BEC/Fraud Credential Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f
HTML: Bidirectional (BIDI) HTML override with right to left obfuscation	Sublime Security	3mo ago Oct 17th, 2025	BEC/Fraud Credential Phishing Evasion Social engineering Scripting Content analysis HTML analysis	/feeds/core/detection-rules/html-bidirectional-bidi-html-override-with-right-to-left-obfuscation-f93940d2
HTML smuggling containing recipient email address	Sublime Security	2mo ago Nov 4th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Image as content with a link to an open redirect (unsolicited)	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content Open redirect Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b
Impersonation: SharePoint reply header anomaly	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Impersonation: Brand Evasion Spoofing Header analysis Content analysis Sender analysis	/feeds/core/detection-rules/impersonation-sharepoint-reply-header-anomaly-78875848
Impersonation: Suspected supplier impersonation with suspicious content	Sublime Security	11mo ago Feb 3rd, 2025	BEC/Fraud Evasion Free email provider Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce
Inbound message from popular service via newly observed distribution list	Sublime Security	5mo ago Aug 5th, 2025	Callback Phishing Evasion Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/inbound-message-from-popular-service-via-newly-observed-distribution-list-8f4bc148
Inline image as message with attachment or link	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Evasion Image as content Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/inline-image-as-message-with-attachment-or-link-823d7107
Issuu document with suspicious embedded link	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Social engineering Free file host Evasion URL analysis URL screenshot Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d
Link: Abused Adobe Express	Sublime Security	6mo ago Jul 23rd, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
Link: Adobe share from unsolicited sender	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Free file host Evasion Content analysis Sender analysis	/feeds/core/detection-rules/link-adobe-share-from-unsolicited-sender-8e29ab33
Link: Adobe share with suspicious indicators	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Free file host Content analysis URL screenshot Sender analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-adobe-share-with-suspicious-indicators-b33cae80
Link: Apple App Store malicious ad manager themed apps from free email provider	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing BEC/Fraud Malware/Ransomware Free email provider Social engineering Evasion Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-apple-app-store-malicious-ad-manager-themed-apps-from-free-email-provider-9ce402c6
Link: Apple TestFlight from free email provider	Sublime Security	3mo ago Oct 17th, 2025	Credential Phishing Free email provider Evasion Sender analysis URL analysis	/feeds/core/detection-rules/link-apple-testflight-from-free-email-provider-9b447f1f
Link: Base64 encoded recipient address in URL fragment with subject hash	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Encryption Evasion Social engineering Content analysis URL analysis Header analysis	/feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8
Link: Common hidden directory observed	Sublime Security	10d ago Jan 13th, 2026	Credential Phishing Evasion URL analysis HTML analysis	/feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6
Link: Credential phishing link with undisclosed recipients	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Computer Vision Header analysis URL screenshot	/feeds/core/detection-rules/link-credential-phishing-link-with-undisclosed-recipients-06fc155e
Link: Cryptocurrency fraud with suspicious links	Sublime Security	1mo ago Dec 1st, 2025	BEC/Fraud Social engineering Evasion Free subdomain host Scripting Content analysis Header analysis Javascript analysis Natural Language Understanding Sender analysis URL analysis URL screenshot Whois	/feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability	Sublime Security	2y ago Feb 15th, 2024	Malware/Ransomware Evasion Exploit URL analysis	/feeds/core/detection-rules/link-cve-2024-21413-microsoft-outlook-remote-code-execution-vulnerability-e8151426
Link: Direct link to gamma.app document with mode parameter	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-gammaapp-document-with-mode-parameter-080ab581
Link: Direct link to keap.app contact-us page	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267
Link: Display text matches subject line	Sublime Security	2mo ago Nov 14th, 2025	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0
Link: Display text with excessive right-to-left mark characters	Sublime Security	2d ago Jan 21st, 2026	Credential Phishing Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-display-text-with-excessive-right-to-left-mark-characters-a45cfd4c
Link: Excessive URL rewrite encoders	Sublime Security	2d ago Jan 21st, 2026	Credential Phishing Malware/Ransomware Encryption Evasion URL analysis Content analysis	/feeds/core/detection-rules/link-excessive-url-rewrite-encoders-b88e53a7
Link: Executable file download with suspicious message content	Sublime Security	3mo ago Oct 16th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Header analysis	/feeds/core/detection-rules/link-executable-file-download-with-suspicious-message-content-ce9a4926
Link: Figma design deck with credential theft language	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-theft-language-87601924
Link: File sharing pretext with suspicious body and link	Sublime Security	3mo ago Oct 10th, 2025	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis URL analysis HTML analysis	/feeds/core/detection-rules/link-file-sharing-pretext-with-suspicious-body-and-link-c5718a8e
Link: Flagged bit.ly link	Sublime Security	6mo ago Jul 16th, 2025	Credential Phishing Evasion URL analysis	/feeds/core/detection-rules/link-flagged-bitly-link-1528eb6c
Link: Free file hosting with undisclosed recipients	Sublime Security	4mo ago Sep 11th, 2025	Credential Phishing Malware/Ransomware Free file host Free subdomain host Evasion Header analysis URL analysis Sender analysis Natural Language Understanding	/feeds/core/detection-rules/link-free-file-hosting-with-undisclosed-recipients-b6281306
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)	@ajpc500	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion URL analysis Whois	/feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37
Link: GoPhish query param values	Sublime Security	18d ago Jan 5th, 2026	Credential Phishing Malware/Ransomware Evasion URL analysis	/feeds/core/detection-rules/link-gophish-query-param-values-6d2b9c8a
Link: IPv4-mapped IPv6 address obfuscation	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-ipv4-mapped-ipv6-address-obfuscation-caacf30c
Link: Mamba 2FA phishing kit	Sublime Security	1mo ago Dec 16th, 2025	Credential Phishing Evasion Social engineering URL analysis	/feeds/core/detection-rules/link-mamba-2fa-phishing-kit-8d527c0f
Link: Microsoft Dynamics 365 form phishing	Sublime Security	1mo ago Dec 5th, 2025	Credential Phishing Evasion Content analysis File analysis Optical Character Recognition Natural Language Understanding URL analysis URL screenshot	/feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-microsoft-protected-message-with-matching-sender-and-recipient-addresses-a5a2f75d
Link: Multiple HTTP protocols in single URL	Sublime Security	11d ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-multiple-http-protocols-in-single-url-92f9d241
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Link: Multistage landing - Abused Docusign	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Link: Multistage landing - Abused Google Drive	Sublime Security	5mo ago Aug 5th, 2025	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Link: Multistage landing - JotForm abuse	Sublime Security	1mo ago Dec 1st, 2025	Credential Phishing Evasion Social engineering Content analysis HTML analysis Javascript analysis URL analysis	/feeds/core/detection-rules/link-multistage-landing-jotform-abuse-5b64326f

313 Rules

Page 4 of 7