Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Feb 14th, 2026

Feed Source

GitHub

Attack Type is

Rule Name & Severity	Author	Last Updated	Labels
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD	Sublime Security	3mo ago Nov 3rd, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373
AnonymousFox indicators	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Malware/Ransomware Header analysis Sender analysis	/feeds/core/detection-rules/anonymousfox-indicators-2506206e
Attachment: Calendar file with invisible Unicode characters	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Malware/Ransomware Evasion File analysis Content analysis	/feeds/core/detection-rules/attachment-calendar-file-with-invisible-unicode-characters-050fceac
Attachment: Credit card application with WhatsApp contact	Sublime Security	2mo ago Nov 20th, 2025	BEC/Fraud Social engineering Out of band pivot Content analysis File analysis Natural Language Understanding QR code analysis	/feeds/core/detection-rules/attachment-credit-card-application-with-whatsapp-contact-95b08315
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	4mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-sharepoint-link-likely-unrelated-to-sender-0a4fd31b
Attachment: Encrypted zip file with payment-related lure	Sublime Security	2mo ago Nov 25th, 2025	BEC/Fraud Malware/Ransomware Encryption Evasion Social engineering Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-encrypted-zip-file-with-payment-related-lure-5d1eb7af
Attachment: Fake lawyer & sports agent identities	Sublime Security	22d ago Jan 26th, 2026	BEC/Fraud Impersonation: VIP Social engineering Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-lawyer-and-sports-agent-identities-7d3a2478
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	5mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis	/feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f
Attachment: ICS file with meeting prefix	Sublime Security	22d ago Jan 26th, 2026	BEC/Fraud Credential Phishing Social engineering File analysis Header analysis	/feeds/core/detection-rules/attachment-ics-file-with-meeting-prefix-383a5810
Attachment: Invoice and W-9 PDFs with suspicious creators	Sublime Security	27d ago Jan 21st, 2026	BEC/Fraud PDF Social engineering Impersonation: Brand File analysis Optical Character Recognition Exif analysis Content analysis	/feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	12d ago Feb 5th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis	/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Attachment: Link to Doubleclick.net open redirect	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Evasion Open redirect Social engineering Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc
Attachment: PDF contains W9 or invoice YARA signatures	Sublime Security	13d ago Feb 4th, 2026	BEC/Fraud Credential Phishing PDF Social engineering File analysis YARA	/feeds/core/detection-rules/attachment-pdf-contains-w9-or-invoice-yara-signatures-9a8e8a98
Attachment: PDF file with link to fake Bitcoin exchange	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7
Attachment: PDF generated with wkhtmltopdf tool and default title	Sublime Security	1mo ago Dec 19th, 2025	BEC/Fraud Callback Phishing Credential Phishing Malware/Ransomware PDF Evasion File analysis Exif analysis	/feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3
Attachment: USDA bid invitation impersonation	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
BEC: Employee impersonation with subject manipulation	Sublime Security	1mo ago Jan 16th, 2026	BEC/Fraud Impersonation: Employee Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b
BEC/Fraud: Generic scam attempt to undisclosed recipients	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-recipients-5dac401f
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding	/feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151
BEC/Fraud: Penpal scam	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Free email provider Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/becfraud-penpal-scam-a4bdfa17
BEC/Fraud: Romance scam	Sublime Security	26d ago Jan 22nd, 2026	BEC/Fraud Free email provider Social engineering Content analysis Header analysis	/feeds/core/detection-rules/becfraud-romance-scam-0243cdaa
BEC/Fraud: Scam lure with freemail pivot	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Free email provider Out of band pivot Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/becfraud-scam-lure-with-freemail-pivot-898c769f
BEC/Fraud: Student loan callback phishing	Sublime Security	5mo ago Sep 5th, 2025	BEC/Fraud Free email provider Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3
BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0
BEC with unusual reply-to or return-path mismatch	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df
Body: Embedded email headers indicative of thread hijacking/abuse	Sublime Security	2mo ago Dec 1st, 2025	Credential Phishing BEC/Fraud Spam Evasion Social engineering Spoofing Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/body-embedded-email-headers-indicative-of-thread-hijackingabuse-6e8eeebb
Brand impersonation: AARP	Sublime Security	2mo ago Dec 1st, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-aarp-561a7f87
Brand impersonation: Aquent	Sublime Security	4mo ago Oct 9th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-aquent-5074459c
Brand impersonation: Aramco	Sublime Security	20d ago Jan 28th, 2026	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-aramco-96e87699
Brand impersonation: AuthentiSign	Sublime Security	27d ago Jan 21st, 2026	Credential Phishing BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-authentisign-445a8c8b
Brand impersonation: Enbridge	Sublime Security	1y ago Jan 24th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-enbridge-203a6a28
Brand impersonation: Interac	Sublime Security	2y ago Sep 16th, 2024	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/brand-impersonation-interac-50a883dc
Brand impersonation: Internal Revenue Service	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-internal-revenue-service-3c63f8e9
Brand impersonation: Mailgun	Sublime Security	1mo ago Jan 12th, 2026	Credential Phishing BEC/Fraud Impersonation: Brand Sender analysis	/feeds/core/detection-rules/brand-impersonation-mailgun-59cc84e6
Brand impersonation: MetaMask	Sublime Security	4mo ago Sep 22nd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Computer Vision Natural Language Understanding Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-metamask-ddb4c618
Brand impersonation: Microsoft logo or suspicious language with open redirect	Sublime Security	2y ago Mar 7th, 2024	BEC/Fraud Impersonation: Brand Open redirect Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-logo-or-suspicious-language-with-open-redirect-27b8d8d8
Brand Impersonation: Procore	Sublime Security	5mo ago Sep 3rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-procore-74baa1e5
Brand impersonation: Purdue ePlanroom with suspicious links	Sublime Security	2mo ago Dec 2nd, 2025	Credential Phishing BEC/Fraud Impersonation: Brand Social engineering Content analysis Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-purdue-eplanroom-with-suspicious-links-4db5b0b6
Brand impersonation: QuickBooks notification from Intuit themed company name	Sublime Security	1mo ago Jan 12th, 2026	Callback Phishing Credential Phishing BEC/Fraud Evasion Social engineering Content analysis Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4
Brand impersonation: Robert Half	Sublime Security	4mo ago Oct 1st, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-robert-half-74f8826c
Brand impersonation: SendGrid	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Spam Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f
Brand impersonation: Trust Wallet	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Natural Language Understanding Sender analysis Header analysis	/feeds/core/detection-rules/brand-impersonation-trust-wallet-e456974c
Brand impersonation: UK government Home Office	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Lookalike domain Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/brand-impersonation-uk-government-home-office-f35d846a
Brand impersonation: Vanguard	Sublime Security	4mo ago Sep 22nd, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Impersonation: Brand Natural Language Understanding Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-vanguard-3bd048fe
Brand impersonation: WeTransfer	Sublime Security	6mo ago Aug 5th, 2025	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Impersonation: Brand Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-wetransfer-e37885ad
Business Email Compromise (BEC) attempt from unsolicited sender	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Social engineering Spoofing Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-unsolicited-sender-57eccc45
Business Email Compromise (BEC) attempt from untrusted sender	Sublime Security	1mo ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-untrusted-sender-96d4c35a
Business Email Compromise (BEC) attempt from untrusted sender (French/Français)	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-untrusted-sender-frenchfrancais-b7d1e096
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)	Sublime Security	7mo ago Jul 16th, 2025	BEC/Fraud Evasion Free email provider Header analysis Sender analysis	/feeds/core/detection-rules/business-email-compromise-bec-attempt-with-masked-recipients-and-reply-to-mismatch-unsolicited-682191bf

151 Rules

Page 1 of 4