Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 27th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	8mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Archive with pdf, txt and wsf files	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis
Attachment: Callback phishing solicitation via pdf file	Sublime Security	7mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Attachment: Compensation review lure with QR code	Sublime Security	3mo ago Dec 10th, 2025	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis
Attachment: Decoy PDF author (Julie P.)	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand PDF File analysis Content analysis Sender analysis
Attachment: DocuSign impersonation via PDF linking to new domain	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois
Attachment: Encrypted PDF with credential theft body	Sublime Security	1mo ago Feb 26th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Fake scan-to-email	Sublime Security	6mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Fake voicemail via PDF	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	6mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis
Attachment: Finance themed PDF with observed phishing template	Sublime Security	28d ago Mar 2nd, 2026	Credential Phishing PDF Evasion File analysis Content analysis
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	2mo ago Jan 21st, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	1mo ago Feb 5th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Password-protected PDF with fake document indicators	Sublime Security	2mo ago Jan 21st, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF File analysis YARA Exif analysis
Attachment: PDF bid/proposal lure with credential theft indicators	Sublime Security	3d ago Mar 27th, 2026	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Attachment: PDF contains W9 or invoice YARA signatures	Sublime Security	12d ago Mar 18th, 2026	BEC/Fraud Credential Phishing PDF Social engineering File analysis YARA
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis
Attachment: PDF generated with wkhtmltopdf tool and default title	Sublime Security	3mo ago Dec 19th, 2025	BEC/Fraud Callback Phishing Credential Phishing Malware/Ransomware PDF Evasion File analysis Exif analysis
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification	Sublime Security	28d ago Mar 2nd, 2026	Malware/Ransomware PDF Evasion File analysis Threat intelligence
Attachment: PDF proposal with credential theft indicators	Sublime Security	13d ago Mar 17th, 2026	Credential Phishing PDF Social engineering Evasion File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with a suspicious string and single URL	Sublime Security	13d ago Mar 17th, 2026	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Attachment: PDF with link to DMG file download	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with link to zip containing a wsf file	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis
Attachment: PDF with Microsoft Purview message impersonation	Sublime Security	4mo ago Nov 10th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Content analysis
Attachment: PDF with multistage landing - ClickUp abuse	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
Attachment: PDF with password in filename matching body text	Sublime Security	1mo ago Feb 19th, 2026	Malware/Ransomware Credential Phishing Encryption Evasion PDF Content analysis File analysis
Attachment: PDF with personal Microsoft OneNote URL	Sublime Security	3mo ago Dec 4th, 2025	Credential Phishing PDF Social engineering File analysis Content analysis
Attachment: PDF with recipient email in link	Sublime Security	27d ago Mar 3rd, 2026	Credential Phishing PDF QR code Encryption Social engineering File analysis QR code analysis URL analysis
Attachment: PDF with ReportLab library and default metadata	Sublime Security	1mo ago Feb 27th, 2026	Credential Phishing PDF Evasion File analysis Exif analysis
Attachment: PDF with suspicious HeadlessChrome metadata	Sublime Security	2mo ago Jan 8th, 2026	Credential Phishing Malware/Ransomware Evasion PDF File analysis Exif analysis
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with suspicious link and action-oriented language	Sublime Security	24d ago Mar 6th, 2026	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: QR code link with base64-encoded recipient address	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis
Attachment: QR code with userinfo portion	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Self-sender PDF with minimal content and view prompt	Sublime Security	1mo ago Feb 12th, 2026	Credential Phishing Malware/Ransomware PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Soda PDF producer with encryption themes	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing PDF Social engineering File analysis Optical Character Recognition
Attachment: Suspicious employee policy update document lure	Sublime Security	3mo ago Dec 26th, 2025	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis
Attachment: Suspicious PDF created with headless browser	Sublime Security	6mo ago Sep 17th, 2025	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition
Attachment: USDA bid invitation impersonation	Sublime Security	7mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Brand impersonation: Adobe (QR code)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	5mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis
Brand impersonation: DocuSign (QR code)	Sublime Security	5mo ago Oct 15th, 2025	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis
Brand Impersonation: Google (QR Code)	Sublime Security	5mo ago Oct 17th, 2025	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: Microsoft (QR code)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis
Brand impersonation: SharePoint PDF attachment with credential theft language	Sublime Security	4mo ago Nov 7th, 2025	Credential Phishing Impersonation: Brand Social engineering PDF Evasion Computer Vision File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis Header analysis Whois

65 Rules

Page 1 of 2