Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Link: Direct link to keap.app contact-us page	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Free file host Evasion URL analysis	/feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267
Link: Direct MSI download from low reputation domain	Sublime Security	19d ago Feb 19th, 2026	Malware/Ransomware Evasion Sender analysis URL analysis	/feeds/core/detection-rules/link-direct-msi-download-from-low-reputation-domain-1eb77537
Link: Display text matches subject line	Sublime Security	3mo ago Nov 14th, 2025	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0
Link: Display text with excessive right-to-left mark characters	Sublime Security	1mo ago Jan 21st, 2026	Credential Phishing Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-display-text-with-excessive-right-to-left-mark-characters-a45cfd4c
Link: Excessive URL rewrite encoders	Sublime Security	1mo ago Jan 21st, 2026	Credential Phishing Malware/Ransomware Encryption Evasion URL analysis Content analysis	/feeds/core/detection-rules/link-excessive-url-rewrite-encoders-b88e53a7
Link: Executable file download with suspicious message content	Sublime Security	4mo ago Oct 16th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Header analysis	/feeds/core/detection-rules/link-executable-file-download-with-suspicious-message-content-ce9a4926
Link: Figma design deck with credential theft language	Sublime Security	6d ago Mar 4th, 2026	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-theft-language-87601924
Link: File sharing pretext with suspicious body and link	Sublime Security	5mo ago Oct 10th, 2025	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis URL analysis HTML analysis	/feeds/core/detection-rules/link-file-sharing-pretext-with-suspicious-body-and-link-c5718a8e
Link: Flagged bit.ly link	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Evasion URL analysis	/feeds/core/detection-rules/link-flagged-bitly-link-1528eb6c
Link: Free file hosting with undisclosed recipients	Sublime Security	15d ago Feb 23rd, 2026	Credential Phishing Malware/Ransomware Free file host Free subdomain host Evasion Header analysis URL analysis Sender analysis Natural Language Understanding	/feeds/core/detection-rules/link-free-file-hosting-with-undisclosed-recipients-b6281306
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)	@ajpc500	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion URL analysis Whois	/feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37
Link: GoPhish query param values	Sublime Security	2mo ago Jan 5th, 2026	Credential Phishing Malware/Ransomware Evasion URL analysis	/feeds/core/detection-rules/link-gophish-query-param-values-6d2b9c8a
Link: Hotel booking spoofed display URL	Sublime Security	21d ago Feb 17th, 2026	BEC/Fraud Credential Phishing Evasion Social engineering URL analysis Sender analysis	/feeds/core/detection-rules/link-hotel-booking-spoofed-display-url-96deeec7
Link: HTML file with suspicious binary fragment ending pattern	Sublime Security	1mo ago Jan 29th, 2026	Credential Phishing Evasion URL analysis	/feeds/core/detection-rules/link-html-file-with-suspicious-binary-fragment-ending-pattern-dc5e3700
Link: IPv4-mapped IPv6 address obfuscation	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-ipv4-mapped-ipv6-address-obfuscation-caacf30c
Link: JavaScript obfuscation with Telegram bot integration	Sublime Security	13d ago Feb 25th, 2026	Credential Phishing Evasion Scripting Content analysis Javascript analysis URL analysis	/feeds/core/detection-rules/link-javascript-obfuscation-with-telegram-bot-integration-032a4485
Link: Mamba 2FA phishing kit	Sublime Security	1mo ago Jan 28th, 2026	Credential Phishing Evasion Social engineering URL analysis	/feeds/core/detection-rules/link-mamba-2fa-phishing-kit-8d527c0f
Link: Microsoft Dynamics 365 form phishing	Sublime Security	1mo ago Jan 27th, 2026	Credential Phishing Evasion Content analysis File analysis Optical Character Recognition Natural Language Understanding URL analysis URL screenshot	/feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-microsoft-protected-message-with-matching-sender-and-recipient-addresses-a5a2f75d
Link: Mixed case HTTPS protocol	Sublime Security	15h ago Mar 9th, 2026	Credential Phishing Malware/Ransomware Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-mixed-case-https-protocol-f3424a81
Link: Multiple HTTP protocols in single URL	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Content analysis URL analysis	/feeds/core/detection-rules/link-multiple-http-protocols-in-single-url-92f9d241
Link: Multistage landing - Abused Adobe frame.io	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Link: Multistage landing - Abused Docusign	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Link: Multistage landing - Abused Google Drive	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
Link: Multistage landing - ClickUp abuse	Sublime Security	11d ago Feb 27th, 2026	Credential Phishing Malware/Ransomware Evasion Free file host Free subdomain host Open redirect URL analysis Whois Content analysis	/feeds/core/detection-rules/link-multistage-landing-clickup-abuse-78a5d035
Link: Multistage landing - JotForm abuse	Sublime Security	3mo ago Dec 1st, 2025	Credential Phishing Evasion Social engineering Content analysis HTML analysis Javascript analysis URL analysis	/feeds/core/detection-rules/link-multistage-landing-jotform-abuse-5b64326f
Link: Multistage landing - Ludus presentation	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Social engineering Impersonation: Brand Header analysis URL analysis Computer Vision URL screenshot Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311
Link: Multistage landing - Scribd document	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d
Link: Obfuscation via userinfo with excessive URL padding	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Impersonation: Brand URL analysis	/feeds/core/detection-rules/link-obfuscation-via-userinfo-with-excessive-url-padding-806317a3
Link: .onion From Unsolicited Sender	Sublime Security	7mo ago Jul 30th, 2025	Malware/Ransomware Credential Phishing Evasion Social engineering URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/link-onion-from-unsolicited-sender-9ac0fc83
Link: PDF filename impersonation with credential theft language	Sublime Security	26d ago Feb 12th, 2026	Credential Phishing Social engineering Evasion PDF Content analysis Natural Language Understanding Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-pdf-filename-impersonation-with-credential-theft-language-05931513
Link: QR code in EML attachment with credential phishing indicators	Sublime Security	3mo ago Dec 2nd, 2025	Credential Phishing Evasion Open redirect QR code Computer Vision Content analysis File analysis QR code analysis	/feeds/core/detection-rules/link-qr-code-in-eml-attachment-with-credential-phishing-indicators-9908ed3a
Link: Recipient email address in 'eta' parameter	Sublime Security	1mo ago Jan 27th, 2026	Credential Phishing Social engineering Evasion URL analysis Content analysis	/feeds/core/detection-rules/link-recipient-email-address-in-eta-parameter-d24e42a2
Link: Referrer anonymization service from untrusted sender	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Open redirect Evasion Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-referrer-anonymization-service-from-untrusted-sender-9fab2e1e
Link: ScreenConnect installer with suspicious relay domain	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Evasion Out of band pivot Social engineering URL analysis File analysis Content analysis	/feeds/core/detection-rules/link-screenconnect-installer-with-suspicious-relay-domain-37d21eef
Link: Scribd fullscreen link from suspicious sender	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Free file host Social engineering Evasion URL analysis Sender analysis	/feeds/core/detection-rules/link-scribd-fullscreen-link-from-suspicious-sender-9e9bc972
Link: Secure SharePoint file share from new or unusual sender	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Free file host Evasion Content analysis Sender analysis	/feeds/core/detection-rules/link-secure-sharepoint-file-share-from-new-or-unusual-sender-74ed3020
Link: Self-sender with sender org in subject and credential theft indicator	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis Sender analysis URL analysis Header analysis	/feeds/core/detection-rules/link-self-sender-with-sender-org-in-subject-and-credential-theft-indicator-bfa9aa08
Link: Self-sent message with quarterly document review request	Sublime Security	1mo ago Jan 21st, 2026	BEC/Fraud Credential Phishing Social engineering Evasion Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-self-sent-message-with-quarterly-document-review-request-3c42cec6
Link: SharePoint files shared from GoDaddy federated tenants	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Evasion Sender analysis URL analysis	/feeds/core/detection-rules/link-sharepoint-files-shared-from-godaddy-federated-tenants-0e26cdd2
Link: SharePoint OneNote or PDF link with self sender behavior	Sublime Security	11d ago Feb 27th, 2026	Credential Phishing Evasion Free file host OneNote PDF Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-sharepoint-onenote-or-pdf-link-with-self-sender-behavior-588e7203
Link: Spam website with evasion indicators	Sublime Security	3mo ago Nov 25th, 2025	Spam Evasion URL analysis URL screenshot Content analysis	/feeds/core/detection-rules/link-spam-website-with-evasion-indicators-08bcd353
Link: Suspicious go.php redirect with document lure	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Evasion Social engineering Content analysis URL analysis	/feeds/core/detection-rules/link-suspicious-gophp-redirect-with-document-lure-f3d8c227
Link: Suspicious SharePoint document name	Sublime Security	25d ago Feb 13th, 2026	Credential Phishing Free file host Evasion Content analysis	/feeds/core/detection-rules/link-suspicious-sharepoint-document-name-f95fee6e
Link: Suspicious Sharepoint folder share	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Free file host Evasion HTML analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-suspicious-sharepoint-folder-share-6168a08c
Link: Suspicious URL with recipient targeting and special characters	Sublime Security	17d ago Feb 21st, 2026	Credential Phishing Social engineering Evasion URL analysis Content analysis	/feeds/core/detection-rules/link-suspicious-url-with-recipient-targeting-and-special-characters-e808be3a
Link to a domain with punycode characters	@ajpc500	3mo ago Nov 12th, 2025	Credential Phishing Evasion Lookalike domain Punycode Sender analysis URL analysis	/feeds/core/detection-rules/link-to-a-domain-with-punycode-characters-74b3698c
Link to auto-downloaded disk image in encrypted zip	@ajpc500	1mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in archive	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-archive-dc04cdd8
Link to auto-downloaded DMG in encrypted zip	Sublime Security	7mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3

351 Rules

Page 5 of 8