Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jul 17th, 2025
Feed Source
Attack Type is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: Callback Phishing solicitation via image file | @vector_sec | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Callback Phishing solicitation via text-based file | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-ca39c83a | |
BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns | Sublime Security | 4mo ago Mar 10th, 2025 | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
Brand Impersonation: AliExpress | Sublime Security | 2mo ago Apr 28th, 2025 | /feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8 | |
Brand impersonation: Quickbooks | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-quickbooks-4fd791d1 | |
Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name | Sublime Security | 4mo ago Mar 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4 | |
Brand Impersonation: SiriusXM | Sublime Security | 24d ago Jun 26th, 2025 | /feeds/core/detection-rules/brand-impersonation-siriusxm-70eb3792 | |
Brand Impersonation: Vanguard | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/brand-impersonation-vanguard-3bd048fe | |
Brand Impersonation: WeTransfer | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-wetransfer-e37885ad | |
Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment | Sublime Security | 1mo ago Jun 3rd, 2025 | /feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed | |
Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Callback Phishing in body or attachment (untrusted sender) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94 | |
Callback Phishing: Social Security Administration Fraud | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Callback Phishing solicitation in message body | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-solicitation-in-message-body-10a3a446 | |
Callback Phishing: SumUp Infrastructure Abuse | Sublime Security | 3mo ago Apr 18th, 2025 | /feeds/core/detection-rules/callback-phishing-sumup-infrastructure-abuse-1c41649e | |
Callback Phishing via Adobe Sign comment | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-via-adobe-sign-comment-7eb4516d | |
Callback Phishing via Calendar Invite | Sublime Security | 3mo ago Apr 14th, 2025 | /feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360 | |
Callback Phishing via DocuSign comment | Sublime Security | 6mo ago Jan 2nd, 2025 | /feeds/core/detection-rules/callback-phishing-via-docusign-comment-48aec918 | |
Callback Phishing via extensionless rfc822 attachment | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4 | |
Callback phishing via Google Group abuse | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b | |
Callback phishing via Intuit service abuse | Sublime Security | 1mo ago May 21st, 2025 | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Callback Phishing via Xodo Sign comment | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-via-xodo-sign-comment-6f722c5d | |
Callback phishing via Zelle Service Abuse | Sublime Security | 4mo ago Feb 24th, 2025 | /feeds/core/detection-rules/callback-phishing-via-zelle-service-abuse-08727484 | |
Callback phishing via Zoho service abuse | Sublime Security | 6mo ago Jan 10th, 2025 | /feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec | |
Canva Infrastructure Abuse | Sublime Security | 3mo ago Apr 1st, 2025 | /feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c | |
Encrypted Microsoft Office Files From Untrusted Senders | Sublime Security | 17d ago Jul 3rd, 2025 | /feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7 | |
Generic Service Abuse From Newly Registered Domain | Sublime Security | 3mo ago Apr 15th, 2025 | /feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5 | |
Inbound Message from Popular Service Via Newly Observed Distribution List | Sublime Security | 4mo ago Mar 20th, 2025 | /feeds/core/detection-rules/inbound-message-from-popular-service-via-newly-observed-distribution-list-8f4bc148 | |
Link: Direct POWR.io Form Builder with Suspicious Patterns | Sublime Security | 2mo ago May 5th, 2025 | /feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93 | |
Link: /index.php Enclosed in Three Asterisks | Sublime Security | 1mo ago Jun 10th, 2025 | /feeds/core/detection-rules/link-indexphp-enclosed-in-three-asterisks-aa4bbafc | |
Link: Invoice or receipt from freemail sender with customer service number | @vector_sec | 2y ago Oct 4th, 2023 | /feeds/core/detection-rules/link-invoice-or-receipt-from-freemail-sender-with-customer-service-number-3825232d | |
Link: Jensi File Preview Link from Unsolicited Sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/link-jensi-file-preview-link-from-unsolicited-sender-122b39f3 | |
Link: Webflow Link from Unsolicited Sender | Sublime Security | 1mo ago Jun 13th, 2025 | /feeds/core/detection-rules/link-webflow-link-from-unsolicited-sender-d4f3b8cf | |
Link: Zoho Form Link from Unsolicited Sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/link-zoho-form-link-from-unsolicited-sender-eb04a9f2 | |
Message Traversed Multiple onmicrosoft.com Tenants | Sublime Security | 7mo ago Dec 18th, 2024 | /feeds/core/detection-rules/message-traversed-multiple-onmicrosoftcom-tenants-9cf01c0d | |
Microsoft Infrastructure Abuse With Suspicious Patterns | Sublime Security | 6mo ago Jan 7th, 2025 | /feeds/core/detection-rules/microsoft-infrastructure-abuse-with-suspicious-patterns-cfe8e804 | |
Mismatched Links: Free File Share With Urgent Language | Sublime Security | 24d ago Jun 26th, 2025 | /feeds/core/detection-rules/mismatched-links-free-file-share-with-urgent-language-478334c8 | |
PayPal Invoice Abuse | Sublime Security | 1mo ago May 23rd, 2025 | /feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4 | |
Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address | Sublime Security | 2mo ago Apr 30th, 2025 | /feeds/core/detection-rules/service-abuse-adobe-sign-notification-from-an-unsolicited-reply-to-address-d00893ba | |
Service Abuse: DocuSign Notification with Suspicious Sender or Document Name | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/service-abuse-docusign-notification-with-suspicious-sender-or-document-name-5e4707cd | |
Service Abuse: Dropbox Share From an Unsolicited Reply-To Address | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/service-abuse-dropbox-share-from-an-unsolicited-reply-to-address-50a1499f | |
Service Abuse: Dropbox Share From New Domain | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/service-abuse-dropbox-share-from-new-domain-0e664bd9 | |
Service Abuse: Dropbox Share with Suspicious Sender or Document Name | Sublime Security | 5mo ago Jan 24th, 2025 | /feeds/core/detection-rules/service-abuse-dropbox-share-with-suspicious-sender-or-document-name-27007c9f | |
Service Abuse: Google Drive Share From an Unsolicited Reply-To Address | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/service-abuse-google-drive-share-from-an-unsolicited-reply-to-address-4581ec0c | |
Service Abuse: Google Drive Share From New Reply-To Domain | Sublime Security | 6mo ago Jan 9th, 2025 | /feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367 | |
Service Abuse: HelloSign Share with Suspicious Sender or Document Name | Sublime Security | 1mo ago May 23rd, 2025 | /feeds/core/detection-rules/service-abuse-hellosign-share-with-suspicious-sender-or-document-name-464d98f3 | |
Service Abuse: Payoneer Callback Scam | Sublime Security | 8mo ago Nov 5th, 2024 | /feeds/core/detection-rules/service-abuse-payoneer-callback-scam-b7fb174c | |
Service Abuse: QuickBooks Notification From New Domain | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/service-abuse-quickbooks-notification-from-new-domain-c4f46473 | |
Service Abuse: QuickBooks Notification with Suspicious Comments | Sublime Security | 18d ago Jul 2nd, 2025 | /feeds/core/detection-rules/service-abuse-quickbooks-notification-with-suspicious-comments-a23d0950 |