Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 21st, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: ICS calendar with embedded file from internal sender with SPF failure	Sublime Security	6mo ago Oct 22nd, 2025	Credential Phishing Spoofing Evasion File analysis Header analysis Sender analysis
Attachment: PDF with credential theft language and invalid reply-to domain	Sublime Security	12d ago Apr 10th, 2026	Credential Phishing PDF Social engineering Spoofing File analysis Header analysis Natural Language Understanding Content analysis
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	4mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis
Brand impersonation: DocuSign	Sublime Security	5d ago Apr 17th, 2026	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Spoofing Header analysis Sender analysis URL analysis
Brand impersonation: Navan	Sublime Security	2mo ago Feb 9th, 2026	Credential Phishing Impersonation: Brand Social engineering Spoofing Sender analysis Natural Language Understanding URL analysis Content analysis
Brand impersonation: State Farm	Sublime Security	4mo ago Dec 17th, 2025	Credential Phishing Impersonation: Brand Social engineering Spoofing Header analysis Sender analysis
Brand impersonation: Survey request with credential theft indicators	Sublime Security	2mo ago Feb 20th, 2026	Credential Phishing Social engineering Impersonation: Brand Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Brand spoof: Dropbox	Sublime Security	2y ago Apr 23rd, 2024	Credential Phishing Malware/Ransomware Impersonation: Brand Spoofing Header analysis Sender analysis
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	9mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis
Cyrillic vowel substitution in subject or display name from unknown sender	Sublime Security	9mo ago Jul 16th, 2025	Credential Phishing Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis
DocuSign impersonation via spoofed Intuit sender	Sublime Security	8mo ago Aug 5th, 2025	Credential Phishing Impersonation: Brand Spoofing Header analysis Sender analysis
Extortion / sextortion in attachment from untrusted sender	Sublime Security	8mo ago Aug 5th, 2025	Extortion Social engineering Spoofing Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Extortion / sextortion (untrusted sender)	Sublime Security	2mo ago Jan 22nd, 2026	Extortion Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Headers: Fake in-reply-to with wildcard sender and missing thread context	Sublime Security	2mo ago Jan 23rd, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis Content analysis
Headers: Outlook Express mailer	Sublime Security	5mo ago Nov 6th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Spoofing Header analysis
Headers: Self-sender using Microsoft CompAuth bypass with credential theft content	Sublime Security	13h ago Apr 21st, 2026	Credential Phishing Spoofing Evasion Natural Language Understanding Header analysis Sender analysis
Headers: System account impersonation with empty sender address	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Spoofing Header analysis Sender analysis Natural Language Understanding
Impersonation: SharePoint reply header anomaly	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Social engineering Impersonation: Brand Evasion Spoofing Header analysis Content analysis Sender analysis
Reconnaissance: Empty subject with mismatched reply-to from new sender	Sublime Security	2mo ago Feb 6th, 2026	BEC/Fraud Credential Phishing Evasion Social engineering Spoofing Header analysis Sender analysis
Sender: IP address in local part	Sublime Security	1mo ago Mar 12th, 2026	Spam Credential Phishing BEC/Fraud Evasion Spoofing Sender analysis
Service Abuse: Nifty.com with impersonation	Sublime Security	3mo ago Jan 12th, 2026	Credential Phishing Spoofing Sender analysis
SPF temp error	Sublime Security	3mo ago Jan 12th, 2026	Spoofing Header analysis
Spoofable internal domain with suspicious signals	Sublime Security	9mo ago Jul 23rd, 2025	Credential Phishing Free file host Free subdomain host Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
Vendor impersonation: Thread hijacking with typosquat domain	Sublime Security	3mo ago Jan 12th, 2026	BEC/Fraud Lookalike domain Social engineering Spoofing Content analysis Natural Language Understanding Sender analysis Whois
VIP impersonation: Fake thread with display name match, email mismatch	Sublime Security	19d ago Apr 3rd, 2026	BEC/Fraud Evasion Impersonation: VIP Social engineering Spoofing Content analysis Header analysis Sender analysis Whois
VIP Impersonation via Google Group relay with suspicious indicators	Sublime Security	5mo ago Nov 12th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Evasion Free email provider Impersonation: Employee Social engineering Spoofing Content analysis Header analysis Natural Language Understanding Sender analysis
VIP local_part impersonation from unsolicited sender	Sublime Security	8mo ago Aug 12th, 2025	Impersonation: VIP Spoofing Header analysis Sender analysis

27 Rules