Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 29th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	3h ago Apr 29th, 2026	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition
Attachment: Base64 encoded bash command in filename	@vector_sec	7mo ago Sep 5th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Content analysis
Attachment: EML with Encrypted ZIP	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Archive analysis File analysis YARA
Attachment: Encrypted Microsoft Office file (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Macros Scripting Archive analysis File analysis OLE analysis Sender analysis
Attachment: Encrypted PDF with credential theft body	Sublime Security	20d ago Apr 9th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Encrypted ZIP containing VHDX file	Sublime Security	26d ago Apr 3rd, 2026	Malware/Ransomware Encryption Evasion Archive analysis File analysis
Attachment: Encrypted zip file with payment-related lure	Sublime Security	5mo ago Nov 25th, 2025	BEC/Fraud Malware/Ransomware Encryption Evasion Social engineering Archive analysis Content analysis File analysis
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with RC4 decryption	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis
Attachment: HTML smuggling with ROT13	@Kyle_Parrish_	3mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: Password-protected PDF with fake document indicators	Sublime Security	3mo ago Jan 21st, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF File analysis YARA Exif analysis
Attachment: PDF with password in filename matching body text	Sublime Security	2mo ago Feb 19th, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF Content analysis File analysis
Attachment: PDF with recipient email in link	Sublime Security	1mo ago Mar 3rd, 2026	Credential Phishing PDF QR code Encryption Social engineering File analysis QR code analysis URL analysis
Attachment with encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA
Encrypted Microsoft Office files from untrusted sender	Sublime Security	8mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis
Link: Base64 encoded recipient address in URL fragment with subject hash	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Encryption Evasion Social engineering Content analysis URL analysis Header analysis
Link: Excessive URL rewrite encoders	Sublime Security	3mo ago Jan 21st, 2026	Credential Phishing Malware/Ransomware Encryption Evasion URL analysis Content analysis
Link: Suspicious Family fragment parameter with encoded recipient data	Sublime Security	2d ago Apr 27th, 2026	Credential Phishing Evasion Encryption Social engineering URL analysis Content analysis
Link to auto-downloaded disk image in encrypted zip	@ajpc500	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-downloaded DMG in encrypted zip	Sublime Security	9mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	3mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA

22 Rules