Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Feb 26th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: ICS calendar with embedded file from internal sender with SPF failure	Sublime Security	4mo ago Oct 22nd, 2025	Credential Phishing Spoofing Evasion File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-ics-calendar-with-embedded-file-from-internal-sender-with-spf-failure-d9ce9db8
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	2mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Brand impersonation: DocuSign	Sublime Security	3d ago Feb 24th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-4d29235c
Brand impersonation: Navan	Sublime Security	18d ago Feb 9th, 2026	Credential Phishing Impersonation: Brand Social engineering Spoofing Sender analysis Natural Language Understanding URL analysis Content analysis	/feeds/core/detection-rules/brand-impersonation-navan-3573e9a8
Brand impersonation: State Farm	Sublime Security	2mo ago Dec 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Spoofing Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-state-farm-bcf7eba0
Brand impersonation: Survey request with credential theft indicators	Sublime Security	7d ago Feb 20th, 2026	Credential Phishing Social engineering Impersonation: Brand Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-survey-request-with-credential-theft-indicators-ea1c0e09
Brand spoof: Dropbox	Sublime Security	2y ago Apr 23rd, 2024	Credential Phishing Malware/Ransomware Impersonation: Brand Spoofing Header analysis Sender analysis	/feeds/core/detection-rules/brand-spoof-dropbox-bd99740a
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-unsolicited-sender-57eccc45
Cyrillic vowel substitution in subject or display name from unknown sender	Sublime Security	7mo ago Jul 16th, 2025	Credential Phishing Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/cyrillic-vowel-substitution-in-subject-or-display-name-from-unknown-sender-74bc0b0c
DocuSign impersonation via spoofed Intuit sender	Sublime Security	6mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Spoofing Header analysis Sender analysis	/feeds/core/detection-rules/docusign-impersonation-via-spoofed-intuit-sender-d437710b
Extortion / sextortion in attachment from untrusted sender	Sublime Security	6mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c
Extortion / sextortion (untrusted sender)	Sublime Security	1mo ago Jan 22nd, 2026	Extortion Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb
Headers: Fake in-reply-to with wildcard sender and missing thread context	Sublime Security	1mo ago Jan 23rd, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis Content analysis	/feeds/core/detection-rules/headers-fake-in-reply-to-with-wildcard-sender-and-missing-thread-context-89da670a
Headers: Outlook Express mailer	Sublime Security	3mo ago Nov 6th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Spoofing Header analysis	/feeds/core/detection-rules/headers-outlook-express-mailer-b7a698de
Headers: System account impersonation with empty sender address	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Spoofing Header analysis Sender analysis Natural Language Understanding	/feeds/core/detection-rules/headers-system-account-impersonation-with-empty-sender-address-887f7953
Impersonation: SharePoint reply header anomaly	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Social engineering Impersonation: Brand Evasion Spoofing Header analysis Content analysis Sender analysis	/feeds/core/detection-rules/impersonation-sharepoint-reply-header-anomaly-78875848
Reconnaissance: Empty subject with mismatched reply-to from new sender	Sublime Security	21d ago Feb 6th, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis	/feeds/core/detection-rules/reconnaissance-empty-subject-with-mismatched-reply-to-from-new-sender-12f4bd45
Service Abuse: Nifty.com with impersonation	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing Spoofing Sender analysis	/feeds/core/detection-rules/service-abuse-niftycom-with-impersonation-370cfdac
SPF temp error	Sublime Security	1mo ago Jan 12th, 2026	Spoofing Header analysis	/feeds/core/detection-rules/spf-temp-error-2df7e839
Spoofable internal domain with suspicious signals	Sublime Security	7mo ago Jul 23rd, 2025	Credential Phishing Free file host Free subdomain host Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/spoofable-internal-domain-with-suspicious-signals-40089d69
Vendor impersonation: Thread hijacking with typosquat domain	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Lookalike domain Social engineering Spoofing Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed
VIP impersonation: Fake thread with display name match, email mismatch	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Evasion Impersonation: VIP Social engineering Spoofing Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28
VIP Impersonation via Google Group relay with suspicious indicators	Sublime Security	3mo ago Nov 12th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Free email provider Impersonation: Employee Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/vip-impersonation-via-google-group-relay-with-suspicious-indicators-57f9cd3b
VIP local_part impersonation from unsolicited sender	Sublime Security	6mo ago Aug 12th, 2025	Impersonation: VIP Spoofing Header analysis Sender analysis	/feeds/core/detection-rules/vip-localpart-impersonation-from-unsolicited-sender-74035fdc

24 Rules