Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 9th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	2mo ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81
Attachment: Callback phishing solicitation via image file	@vector_sec	1mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36
Attachment: Fake attachment image lure	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Attachment: Fake scan-to-email	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Attachment: Fake secure message and suspicious indicators	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: QR code link with base64-encoded recipient address	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: QR code with encoded recipient targeting and redirect indicators	Sublime Security	1mo ago Jan 30th, 2026	Credential Phishing QR code Evasion Image as content Open redirect Archive analysis File analysis QR code analysis URL analysis	/feeds/core/detection-rules/attachment-qr-code-with-encoded-recipient-targeting-and-redirect-indicators-5d51e565
Attachment: QR code with userinfo portion	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Attachment: SVG files with evasion elements	Sublime Security	7mo ago Aug 8th, 2025	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60
Brand impersonation: Coinbase with suspicious links	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e
Brand impersonation: DocuSign with embedded QR code	Sublime Security	4mo ago Oct 17th, 2025	Credential Phishing Evasion Image as content Impersonation: Brand QR code Computer Vision Content analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-with-embedded-qr-code-f5cde463
Brand impersonation: Fake Fax	Sublime Security	1mo ago Feb 5th, 2026	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a
Brand impersonation: Microsoft Planner with suspicious link	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Evasion Image as content Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08
Brand impersonation: Microsoft with low reputation links	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6
Brand impersonation: USPS	Sublime Security	25d ago Feb 13th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-usps-28b9130a
Cloud storage impersonation with credential theft indicators	Sublime Security	18d ago Feb 20th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/cloud-storage-impersonation-with-credential-theft-indicators-4c20f72c
Credential phishing: Hyper-linked image leading to free file host	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Image as content Social engineering Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/credential-phishing-hyper-linked-image-leading-to-free-file-host-f5cb1eca
Credential phishing: Image as content, short or no body contents	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Evasion Image as content Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38
Credential theft: Gophish abuse with hidden tracking image	Sublime Security	4mo ago Nov 5th, 2025	Spam Evasion Image as content Content analysis HTML analysis	/feeds/core/detection-rules/credential-theft-gophish-abuse-with-hidden-tracking-image-59915ceb
Image as content with a link to an open redirect (unsolicited)	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content Open redirect Social engineering Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b
Impersonation: Recipient organization in sender display name with credential theft image	Sublime Security	21d ago Feb 17th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/impersonation-recipient-organization-in-sender-display-name-with-credential-theft-image-6abfb20e
Inline image as message with attachment or link	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Evasion Image as content Content analysis HTML analysis URL analysis	/feeds/core/detection-rules/inline-image-as-message-with-attachment-or-link-823d7107
Invoicera infrastructure abuse	Sublime Security	2y ago Mar 7th, 2024	Credential Phishing Spam Free file host Free subdomain host Image as content Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/invoicera-infrastructure-abuse-1e56f310
PHP Mailer with common phishing attachments	@vector_sec	3y ago Aug 21st, 2023	Credential Phishing Image as content Header analysis	/feeds/core/detection-rules/php-mailer-with-common-phishing-attachments-07e03563
Spam: BlackBaud infrastructure abuse	Sublime Security	2y ago Jan 17th, 2024	Spam Evasion Impersonation: Brand Image as content Social engineering Content analysis Header analysis	/feeds/core/detection-rules/spam-blackbaud-infrastructure-abuse-3db46591
Spam: Item giveaway spam template	Sublime Security	7mo ago Aug 5th, 2025	Spam Image as content Content analysis HTML analysis Sender analysis Exif analysis	/feeds/core/detection-rules/spam-item-giveaway-spam-template-06a5f93b
Spam: Mastercard promotional content with image-based body	Sublime Security	4mo ago Nov 5th, 2025	Credential Phishing Spam Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/spam-mastercard-promotional-content-with-image-based-body-5f2cb559

28 Rules