• Sublime Core Feed

Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security
Last updated May 16th, 2024
Feed Source

Attack Types

Profiles of cyber threats that pinpoint the attackers' primary intent, whether it's to steal credentials, distribute malware, or commit fraud.


BEC/Fraud often involves deceptive tactics that don't require malicious content as well as the impersonation of employees, VIPs, vendors, or other trusted entities to deceive employees into transferring funds or sharing sensitive data. Lacking malicious URLs or attachments, they exploit human vulnerabilities and rely on social engineering tactics.

Callback Phishing

Callback phishing involves the impersonation of reputable organizations to persuade victims into calling a phone number, thereby bypassing traditional email-based phishing detection. This leads to potential outcomes like fraud, data theft, identity theft, and malware distribution.

Credential Phishing

Credential phishing involves tricking victims into providing their login credentials, often through deceptive email messages and websites that mimic legitimate platforms. The stolen credentials are then used to access sensitive data or commit fraudulent activities.


Extortion involves coercing victims by holding sensitive information or assets hostage while demanding ransom or other concessions.


Malware/Ransomware involves the distribution of malicious software. Once infiltrated, this software can hijack, damage, or block access to systems, often requiring a ransom payment for data retrieval.


Spam is unsolicited bulk email, primarily sent for commercial or marketing purposes.

Tactics and Techniques

Methods and strategies employed by threat actors to execute their attack, focusing on their actions, behaviors, and artifacts.


Uses encryption to hide malicious content, making it harder for security systems to analyze and detect phishing attempts.


Refers to any deliberate effort by threat actors to obfuscate, circumvent, or bypass detection methods to ensure their malicious activities remain undetected or undeterred.


Abuses software vulnerabilities to gain unauthorized access or deliver malware to a target system.

Free email provider

Use of a free email provider like Gmail, capitalizing on the established reputation and ubiquity these services have in legitimate email traffic.

Free file host

Abuses free file hosting services to distribute harmful files, often bypassing traditional attachment based analysis.

Free subdomain host

Creates deceptive subdomains on free hosting platforms with established reputation to impersonate legitimate websites for phishing attacks.

HTML smuggling

Uses HTML5 features to smuggle malicious code across the network and onto a victim’s system, evading traditional network based detection.

Image as content

Evades traditional text based detection by putting the content of the message in an image. These images typically don’t execute code or contain scripting, but the images themselves can often be the linked element.

Impersonation: Brand

Involves mimicking well-known brands to deceive recipients and exploit the trust associated with those brands.

Impersonation: Employee

Poses as employees, managers, or internal contractors to capitalize on the recipient's trust and familiarity to manipulate or deceive them.

Impersonation: VIP

Poses as company VIPs to exploit the inherent trust and urgency associated with these roles, and instigate fraudulent financial transactions, manipulate internal processes, or convince employees to perform actions that undermine the security or integrity of the organization.


Abuses IPFS (InterPlanetary File System) to host and distribute phishing content, evading traditional takedown methods.


Uses ISO image files to circumvent analysis and deliver malware.


Uses LNK files to discreetly execute malicious code.

Lookalike domain

Uses domains that closely resemble legitimate domains to deceive and mislead users.


Executes malicious code, typically in Microsoft Office documents, that can be weaponized by threat actors to serve as a delivery mechanism for malware or as a foothold into a system, capitalizing on user trust in familiar attachment types.


Uses OneNote files to circumvent analysis and deliver malicious payloads or solicit credentials.

Open redirect

Exploits vulnerabilities in web applications that allow attackers to redirect users from a trusted site to a malicious site, often used for phishing or malware distribution.

Out of band pivot

Attempts to change communication medium (e.g. email → phone) to move to a less protected ecosystem.


Uses PDF files, often to deliver malware of embedded phishing links.


Creates deceptive URLs with unicode strings, specifically those containing special or non-English characters. Punycode can be misused to craft visually similar URL's in phishing attacks to trick users into believing they are visiting a trusted website, when they are actually being directed to a malicious one.

QR code

Uses QR Codes to direct victims to malicious websites, often leading to data theft or malware installation.


Employs scripts (e.g., JavaScript) to obfuscate attacks and make analysis more difficult.

Social engineering

Manipulates human psychology to trick individuals into revealing sensitive information, such as passwords or financial details.


Disguises communication from an unknown source as being from a known, trusted source, often to deceive recipients or systems.

Detection Methods

Highlights the technical methodologies and Sublime specialized techniques that recognized and flagged the threat, offering insights.

Archive analysis

Archive analysis involves examining the contents of compressed files or packages to detect, extract, and assess potential threats.

Computer Vision

Computer Vision examines images embedded in messages or websites to identify visual cues that may indicate malicious intent. This includes identifying logos of reputable companies used to deceive users, fake login pages, fraudulent payment screens, and more.

Content analysis

Content analysis refers to the scrutiny of a message's text to detect potential threats, suspicious behavior or malicious intent.

Exif analysis

Exif analysis refers to the scrutiny of metadata present across various file types, providing insights into attributes like authorship, timestamps, software versions, and more.

File analysis

File analysis deconstructs files into their smaller components for a thorough inspection. It involves recursive processing to extract and analyze all components and internal structures, allowing the identification of malicious scripts, suspicious executables, and hidden texts.

Header analysis

Header analysis examines message headers for irregularities or signs of phishing tactics.

HTML analysis

HTML analysis scans HTML code in web pages or attachments for malicious elements.

Javascript analysis

Javascript analysis examines Javascript (JS) code in message bodies, attachments, and linked pages for suspicious or known malicious elements, including basic scripts and unescaped sequences.

Macro analysis

Macro analysis detects macros, typically embedded in Microsoft Office documents, designed to execute malicious code as a delivery mechanism for malware or to establish a foothold on a system.

Natural Language Understanding

Natural Language Understanding (NLU) applies Machine Learning to analyze text-based content in messages. The extracted analysis, including Tone, Intents, Tags, and keyword recognition, can be used to identify and categorize language commonly used by threat actors.

OLE analysis

OLE (Object Linking and Embedding) analysis inspects objects in documents to identify malicious content.

Optical Character Recognition

Optical Character Recognition (OCR) extracts text from images, enabling analysis of scanned or image-based content.

QR code analysis

QR code analysis identifies the type of data — URL, text, or other data types — stored within the QR code.

Sender analysis

Sender analysis examines the sender’s details, such as domain, email address, frequency of contact, and other signals to inform decisions about the sender’s authenticity and relationship with the recipient.

Threat intelligence

Threat intelligence leverages data on known and emerging phishing threats. It can include information such as malicious URLs, domains, file hashes, IP addresses, and more.

URL analysis

URL analysis inspects and classifies links in message bodies or attachments. It covers various aspects such as body links, URLs, reputation, paths, and query parameters. LinkAnalysis, a type of URL analysis, submits suspicious URLs to a headless browser to resolve the effective URL and capture a screenshot for further analysis.

URL screenshot

Screenshots of linked web pages are visually inspected for phishing content or suspicious sites.


Domain registration information is retrieved from Whois databases to detect suspicious or newly created domains.

XML analysis

XML files are scanned for potential phishing elements, such as scripts or embedded URLs.


Messages are evaluated for matching YARA signatures. YARA is a pattern matching language used to identify known malware families or behavior based on regular expression and textual or binary patterns.