Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Impersonation: Executive using numbered local part	Sublime Security	1mo ago Jan 30th, 2026	BEC/Fraud Free email provider Impersonation: VIP Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/impersonation-executive-using-numbered-local-part-8e005a22
Impersonation: Human Resources with link or attachment and engaging language	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/impersonation-human-resources-with-link-or-attachment-and-engaging-language-8c95a6a8
Impersonation: Internal corporate services	Sublime Security	1mo ago Jan 28th, 2026	Credential Phishing Impersonation: Employee Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/impersonation-internal-corporate-services-3cd04f33
Impersonation: Recipient organization in sender display name with credential theft image	Sublime Security	21d ago Feb 17th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/impersonation-recipient-organization-in-sender-display-name-with-credential-theft-image-6abfb20e
Impersonation: Salesforce fake campaign failure notification	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/impersonation-salesforce-fake-campaign-failure-notification-d66000ca
Impersonation: SharePoint reply header anomaly	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Impersonation: Brand Evasion Spoofing Header analysis Content analysis Sender analysis	/feeds/core/detection-rules/impersonation-sharepoint-reply-header-anomaly-78875848
Impersonation: Social Security Administration (SSA)	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/impersonation-social-security-administration-ssa-6196767e
Impersonation: Suspected supplier impersonation with suspicious content	Sublime Security	1y ago Feb 3rd, 2025	BEC/Fraud Evasion Free email provider Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce
Impersonation using recipient domain (untrusted sender)	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/impersonation-using-recipient-domain-untrusted-sender-63e5808a
Inbound message from popular service via newly observed distribution list	Sublime Security	7mo ago Aug 5th, 2025	Callback Phishing Evasion Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/inbound-message-from-popular-service-via-newly-observed-distribution-list-8f4bc148
Invoicera infrastructure abuse	Sublime Security	2y ago Mar 7th, 2024	Credential Phishing Spam Free file host Free subdomain host Image as content Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/invoicera-infrastructure-abuse-1e56f310
Issuu document with suspicious embedded link	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Free file host Evasion URL analysis URL screenshot Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d
Job scam (unsolicited sender)	Sublime Security	4mo ago Nov 3rd, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/job-scam-unsolicited-sender-a37dc32d
Job scam with specific salary pattern	Sublime Security	1mo ago Jan 21st, 2026	BEC/Fraud Social engineering Content analysis Natural Language Understanding Header analysis Sender analysis	/feeds/core/detection-rules/job-scam-with-specific-salary-pattern-af7f9e21
Link abuse: Self-service creation platform link with suspicious recipient behavior	Sublime Security	3mo ago Dec 2nd, 2025	BEC/Fraud Credential Phishing Spam Free email provider Social engineering Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-abuse-self-service-creation-platform-link-with-suspicious-recipient-behavior-384ad135
Link: Apple App Store malicious ad manager themed apps from free email provider	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing BEC/Fraud Malware/Ransomware Free email provider Social engineering Evasion Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-apple-app-store-malicious-ad-manager-themed-apps-from-free-email-provider-9ce402c6
Link: Base64 encoded recipient address in URL fragment with subject hash	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Encryption Evasion Social engineering Content analysis URL analysis Header analysis	/feeds/core/detection-rules/link-base64-encoded-recipient-address-in-url-fragment-with-subject-hash-eb9694b8
Link: Blogspot hosting explicit romance content	Sublime Security	18h ago Mar 9th, 2026	Spam Free subdomain host Social engineering Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-blogspot-hosting-explicit-romance-content-132e88c5
Link: Breely link masquerading as PDF	Sublime Security	1mo ago Jan 16th, 2026	BEC/Fraud Credential Phishing Free subdomain host Social engineering Content analysis URL analysis	/feeds/core/detection-rules/link-breely-link-masquerading-as-pdf-4a498c21
Link: chatbot.page platform abuse	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering Out of band pivot URL analysis Natural Language Understanding Content analysis HTML analysis Javascript analysis URL screenshot	/feeds/core/detection-rules/link-chatbotpage-platform-abuse-bfd6a076
Link: Credential phishing traversing Russian infrastructure	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering Content analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-credential-phishing-traversing-russian-infrastructure-a5203e3b
Link: Credential phishing via WordPress	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering Free subdomain host URL analysis Header analysis Computer Vision	/feeds/core/detection-rules/link-credential-phishing-via-wordpress-db696058
Link: Credential theft with invisible Unicode character in page title from unsolicited sender	Sublime Security	25d ago Feb 13th, 2026	Credential Phishing Evasion Social engineering Natural Language Understanding Content analysis HTML analysis URL analysis URL screenshot	/feeds/core/detection-rules/link-credential-theft-with-invisible-unicode-character-in-page-title-from-unsolicited-sender-5fe14d53
Link: Cryptocurrency fraud with suspicious links	Sublime Security	3mo ago Dec 1st, 2025	BEC/Fraud Social engineering Evasion Free subdomain host Scripting Content analysis Header analysis Javascript analysis Natural Language Understanding Sender analysis URL analysis URL screenshot Whois	/feeds/core/detection-rules/link-cryptocurrency-fraud-with-suspicious-links-d0da37ce
Link: Direct link to Zoom Docs from non-Zoom sender	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Social engineering Impersonation: Brand Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db
Link: Direct POWR.io Form Builder with suspicious patterns	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Callback Phishing Social engineering File analysis URL analysis Content analysis	/feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93
Link: Display text matches subject line	Sublime Security	3mo ago Nov 14th, 2025	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0
Link: Executable file download with suspicious message content	Sublime Security	4mo ago Oct 16th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Header analysis	/feeds/core/detection-rules/link-executable-file-download-with-suspicious-message-content-ce9a4926
Link: Figma design deck with credential theft language	Sublime Security	6d ago Mar 4th, 2026	Credential Phishing Evasion Free file host Social engineering Natural Language Understanding Computer Vision Optical Character Recognition URL analysis URL screenshot Sender analysis	/feeds/core/detection-rules/link-figma-design-deck-with-credential-theft-language-87601924
Link: File sharing impersonation with suspicious language and sending patterns	Sublime Security	4mo ago Oct 31st, 2025	BEC/Fraud Credential Phishing Social engineering Free subdomain host Impersonation: Brand Natural Language Understanding URL analysis Sender analysis Header analysis Content analysis	/feeds/core/detection-rules/link-file-sharing-impersonation-with-suspicious-language-and-sending-patterns-d3363041
Link: File sharing pretext with suspicious body and link	Sublime Security	5mo ago Oct 10th, 2025	Credential Phishing Social engineering Evasion Natural Language Understanding Content analysis URL analysis HTML analysis	/feeds/core/detection-rules/link-file-sharing-pretext-with-suspicious-body-and-link-c5718a8e
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender	Sublime Security	7mo ago Jul 16th, 2025	Spam Free email provider Free file host Open redirect Social engineering Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-google-calendar-invite-linking-to-an-open-redirect-from-an-untrusted-freemail-sender-bb4f1ea9
Link: Google Drawings link from new sender	Sublime Security	18h ago Mar 9th, 2026	Credential Phishing BEC/Fraud Social engineering URL analysis Sender analysis	/feeds/core/detection-rules/link-google-drawings-link-from-new-sender-fb91c892
Link: Google Forms link with credential theft language	Sublime Security	8d ago Mar 2nd, 2026	Credential Phishing Social engineering Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/link-google-forms-link-with-credential-theft-language-0cad40e2
Link: Hotel booking spoofed display URL	Sublime Security	21d ago Feb 17th, 2026	BEC/Fraud Credential Phishing Evasion Social engineering URL analysis Sender analysis	/feeds/core/detection-rules/link-hotel-booking-spoofed-display-url-96deeec7
Link: HR impersonation with suspicious domain indicators and credential theft	Sublime Security	3mo ago Dec 3rd, 2025	Credential Phishing Impersonation: Employee Social engineering Lookalike domain Content analysis Natural Language Understanding Computer Vision URL analysis URL screenshot	/feeds/core/detection-rules/link-hr-impersonation-with-suspicious-domain-indicators-and-credential-theft-f31f8831
Link: /index.php enclosed in three asterisks	Sublime Security	1mo ago Jan 12th, 2026	Malware/Ransomware Callback Phishing Social engineering Content analysis URL analysis	/feeds/core/detection-rules/link-indexphp-enclosed-in-three-asterisks-aa4bbafc
Link: Intuit link abuse with file share context	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering URL analysis Natural Language Understanding Content analysis Header analysis	/feeds/core/detection-rules/link-intuit-link-abuse-with-file-share-context-cd15cc34
Link: Invoice or receipt from freemail sender with customer service number	@vector_sec	1mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing Free email provider Impersonation: Brand Social engineering Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-invoice-or-receipt-from-freemail-sender-with-customer-service-number-3825232d
Link: Mamba 2FA phishing kit	Sublime Security	1mo ago Jan 28th, 2026	Credential Phishing Evasion Social engineering URL analysis	/feeds/core/detection-rules/link-mamba-2fa-phishing-kit-8d527c0f
Link: Microsoft impersonation using hosted png with suspicious link	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/link-microsoft-impersonation-using-hosted-png-with-suspicious-link-07c696d4
Link: Microsoft protected message with matching sender and recipient addresses	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Content analysis File analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-microsoft-protected-message-with-matching-sender-and-recipient-addresses-a5a2f75d
Link: Multistage landing - Abused Adobe Acrobat hosted PDF	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Optical Character Recognition URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-acrobat-hosted-pdf-609081ef
Link: Multistage Landing - Abused Buildin.ai	Sublime Security	6mo ago Sep 5th, 2025	Credential Phishing Free file host Social engineering URL analysis Natural Language Understanding	/feeds/core/detection-rules/link-multistage-landing-abused-buildinai-e0a79ef5
Link: Multistage landing - FreshDesk knowledge base abuse	Sublime Security	6mo ago Aug 21st, 2025	Credential Phishing Open redirect Impersonation: Brand Social engineering Content analysis Natural Language Understanding URL analysis URL screenshot	/feeds/core/detection-rules/link-multistage-landing-freshdesk-knowledge-base-abuse-edd6acf7
Link: Multistage landing - JotForm abuse	Sublime Security	3mo ago Dec 1st, 2025	Credential Phishing Evasion Social engineering Content analysis HTML analysis Javascript analysis URL analysis	/feeds/core/detection-rules/link-multistage-landing-jotform-abuse-5b64326f
Link: Multistage landing - Ludus presentation	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Social engineering Impersonation: Brand Header analysis URL analysis Computer Vision URL screenshot Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311
Link: Multistage landing - Microsoft Forms abuse	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering HTML analysis URL analysis Content analysis	/feeds/core/detection-rules/link-multistage-landing-microsoft-forms-abuse-85a2cd12
Link: Multistage landing - Published Google Doc	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Free file host Social engineering Natural Language Understanding URL analysis Whois	/feeds/core/detection-rules/link-multistage-landing-published-google-doc-031e1ff8
Link: Multistage landing - Scribd document	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering Impersonation: Brand Free file host URL analysis HTML analysis Natural Language Understanding Computer Vision Optical Character Recognition URL screenshot	/feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d

510 Rules

Page 7 of 11