Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Dec 19th, 2025

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	5mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Attachment: Archive with pdf, txt and wsf files	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion PDF Archive analysis File analysis	/feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239
Attachment: Callback phishing solicitation via pdf file	Sublime Security	4mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Compensation review lure with QR code	Sublime Security	11d ago Dec 10th, 2025	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis	/feeds/core/detection-rules/attachment-compensation-review-lure-with-qr-code-9fd8185c
Attachment: Decoy PDF author (Julie P.)	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand PDF File analysis Content analysis Sender analysis	/feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois	/feeds/core/detection-rules/attachment-docusign-impersonation-via-pdf-linking-to-new-domain-f0c96282
Attachment: Encrypted PDF with credential theft body	Sublime Security	20d ago Dec 1st, 2025	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Fake scan-to-email	Sublime Security	3mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Attachment: Fake voicemail via PDF	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis	/feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	3mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis	/feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	20d ago Dec 1st, 2025	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis	/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	5mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	5mo ago Jul 16th, 2025	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	5mo ago Jul 16th, 2025	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859
Attachment: PDF generated with wkhtmltopdf tool and default title	Sublime Security	2d ago Dec 19th, 2025	BEC/Fraud Callback Phishing Credential Phishing Malware/Ransomware PDF Evasion File analysis Exif analysis	/feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	5mo ago Jul 16th, 2025	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e
Attachment: PDF with link to DMG file download	Sublime Security	11d ago Dec 10th, 2025	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0
Attachment: PDF with link to zip containing a wsf file	Sublime Security	1y ago Apr 25th, 2024	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4
Attachment: PDF with Microsoft Purview message impersonation	Sublime Security	1mo ago Nov 10th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Content analysis	/feeds/core/detection-rules/attachment-pdf-with-microsoft-purview-message-impersonation-571d4964
Attachment: PDF with personal Microsoft OneNote URL	Sublime Security	17d ago Dec 4th, 2025	Credential Phishing PDF Social engineering File analysis Content analysis	/feeds/core/detection-rules/attachment-pdf-with-personal-microsoft-onenote-url-0675bbc5
Attachment: PDF with recipient email in link	Sublime Security	2mo ago Oct 10th, 2025	Credential Phishing PDF QR code Encryption Social engineering File analysis QR code analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-recipient-email-in-link-0399d08f
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	1y ago May 22nd, 2024	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f
Attachment: QR code link with base64-encoded recipient address	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: QR code with userinfo portion	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Attachment: RFP/RFQ impersonating government entities	Sublime Security	1y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3
Attachment: Soda PDF producer with encryption themes	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing PDF Social engineering File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4
Attachment: Suspicious employee policy update document lure	Sublime Security	1mo ago Oct 29th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Attachment: Suspicious PDF created with headless browser	Sublime Security	3mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: USDA bid invitation impersonation	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Brand impersonation: Adobe (QR code)	Sublime Security	2mo ago Oct 3rd, 2025	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	2mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7
Brand impersonation: DocuSign (QR code)	Sublime Security	2mo ago Oct 15th, 2025	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-qr-code-0b16c28a
Brand Impersonation: Google (QR Code)	Sublime Security	2mo ago Oct 17th, 2025	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-google-qr-code-7ffd184c
Brand impersonation: Microsoft (QR code)	Sublime Security	3mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	1mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois	/feeds/core/detection-rules/brand-impersonation-sharepoint-pdf-attachment-with-credential-theft-language-ae3756fa
Callback phishing: Social Security Administration fraud	Sublime Security	4mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Credential phishing: Tax form impersonation with payment request	Sublime Security	3mo ago Sep 10th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering PDF Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/credential-phishing-tax-form-impersonation-with-payment-request-717695cf
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	10mo ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis	/feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213
Link: Uncommon SharePoint document type with sender's display name	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Social engineering OneNote PDF Content analysis Header analysis HTML analysis URL analysis	/feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2
PDF attachment with Google (AE) redirecting to a php or zip file	Sublime Security	2y ago Sep 26th, 2023	Malware/Ransomware Open redirect PDF Content analysis File analysis URL analysis	/feeds/core/detection-rules/pdf-attachment-with-google-ae-redirecting-to-a-php-or-zip-file-57ae513f
Sharepoint link likely unrelated to sender	Sublime Security	3mo ago Sep 19th, 2025	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis	/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Spam: Unsolicited malformed PDF	Sublime Security	5mo ago Jul 16th, 2025	Spam Evasion Free email provider PDF Content analysis File analysis Sender analysis	/feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031
Stripe invoice abuse	Sublime Security	4mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing PDF File analysis Header analysis	/feeds/core/detection-rules/stripe-invoice-abuse-90162d16
Suspicious attachment: Duplicate decoy PDF files	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Evasion PDF File analysis Optical Character Recognition	/feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7
Suspicious attachment with unscannable Cloudflare link	Sublime Security	5mo ago Jul 16th, 2025	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding	/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Suspicious SharePoint file sharing	Sublime Security	4mo ago Aug 5th, 2025	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)	Sublime Security	2y ago Nov 18th, 2023	Credential Phishing Malware/Ransomware PDF File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/urlhaus-malicious-domain-in-message-body-or-pdf-attachment-trusted-reporters-cfca2986

48 Rules