Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jun 5th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: ICS calendar with embedded file from internal sender with SPF failure	Sublime Security	1mo ago Apr 28th, 2026	Credential Phishing Spoofing Evasion ICS Phishing File analysis Header analysis Sender analysis
Attachment: PDF with credential theft language and invalid reply-to domain	Sublime Security	1mo ago Apr 10th, 2026	Credential Phishing PDF Social engineering Spoofing File analysis Header analysis Natural Language Understanding Content analysis
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	6mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis
Body: Suspicious date format	Sublime Security	1mo ago Apr 22nd, 2026	Credential Phishing Evasion Spoofing Social engineering Content analysis
Brand impersonation: DocuSign	Sublime Security	7d ago Jun 1st, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis
Brand impersonation: Navan	Sublime Security	3mo ago Feb 9th, 2026	Credential Phishing Impersonation: Brand Social engineering Spoofing Sender analysis Natural Language Understanding URL analysis Content analysis
Brand impersonation: State Farm	Sublime Security	5mo ago Dec 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Spoofing Header analysis Sender analysis
Brand impersonation: Survey request with credential theft indicators	Sublime Security	3mo ago Feb 20th, 2026	Credential Phishing Social engineering Impersonation: Brand Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Brand spoof: Dropbox	Sublime Security	2y ago Apr 23rd, 2024	Credential Phishing Malware/Ransomware Impersonation: Brand Spoofing Header analysis Sender analysis
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	10mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis
Cyrillic vowel substitution in subject or display name from unknown sender	Sublime Security	10mo ago Jul 16th, 2025	Credential Phishing Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis
DocuSign impersonation via spoofed Intuit sender	Sublime Security	10mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Spoofing Header analysis Sender analysis
Extortion / sextortion in attachment from untrusted sender	Sublime Security	10mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Extortion / sextortion (untrusted sender)	Sublime Security	19d ago May 20th, 2026	Extortion Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Headers: Fake in-reply-to with wildcard sender and missing thread context	Sublime Security	4mo ago Jan 23rd, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis Content analysis
Headers: Outlook Express mailer	Sublime Security	7mo ago Nov 6th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Spoofing Header analysis
Headers: Self-sender using Microsoft CompAuth bypass with credential theft content	Sublime Security	1mo ago Apr 27th, 2026	Credential Phishing Spoofing Evasion Natural Language Understanding Header analysis Sender analysis
Headers: System account impersonation with empty sender address	Sublime Security	4mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Spoofing Header analysis Sender analysis Natural Language Understanding
Headers: X-Source-Auth mismatch with mismatched reply-to domain	Sublime Security	18d ago May 21st, 2026	BEC/Fraud Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Impersonation: SharePoint reply header anomaly	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Social engineering Impersonation: Brand Evasion Spoofing Header analysis Content analysis Sender analysis
Link: BEC with newly registered domains and financial keywords	Sublime Security	1mo ago May 1st, 2026	BEC/Fraud Social engineering Evasion Spoofing Header analysis Sender analysis URL analysis
Reconnaissance: Empty subject with mismatched reply-to from new sender	Sublime Security	4mo ago Feb 6th, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis
Sender: IP address in local part	Sublime Security	2mo ago Mar 12th, 2026	Spam Credential Phishing BEC/Fraud Evasion Spoofing Sender analysis
Service Abuse: Nifty.com with impersonation	Sublime Security	4mo ago Jan 12th, 2026	Credential Phishing Spoofing Sender analysis
Service abuse: PayPal manager account creation with callback scam indicators	Sublime Security	6d ago Jun 2nd, 2026	Callback Phishing Credential Phishing Impersonation: Brand Social engineering Spoofing Sender analysis Content analysis Natural Language Understanding
SPF temp error	Sublime Security	4mo ago Jan 12th, 2026	Spoofing Header analysis
Spoofable internal domain with suspicious signals	Sublime Security	10mo ago Jul 23rd, 2025	Credential Phishing Free file host Free subdomain host Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Vendor impersonation: Thread hijacking with typosquat domain	Sublime Security	4mo ago Jan 12th, 2026	BEC/Fraud Lookalike domain Social engineering Spoofing Content analysis Natural Language Understanding Sender analysis Whois
VIP impersonation: Fake thread with display name match, email mismatch	Sublime Security	2mo ago Apr 3rd, 2026	BEC/Fraud Evasion Impersonation: VIP Social engineering Spoofing Content analysis Header analysis Sender analysis Whois
VIP Impersonation via Google Group relay with suspicious indicators	Sublime Security	3d ago Jun 5th, 2026	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Free email provider Impersonation: Employee Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
VIP local_part impersonation from unsolicited sender	Sublime Security	9mo ago Aug 12th, 2025	Impersonation: VIP Spoofing Header analysis Sender analysis

31 Rules