Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jul 17th, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Attachment: Any HTML file (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-any-html-file-unsolicited-ef36763f | |
Attachment: Any HTML file within archive (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-any-html-file-within-archive-unsolicited-6a67c02c | |
Attachment: Archive containing disallowed file type | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-archive-containing-disallowed-file-type-3859e3e7 | |
Attachment: Archive containing HTML file with file scheme link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-archive-containing-html-file-with-file-scheme-link-edf6d0d9 | |
Attachment: Archive contains DLL-loading macro | Sublime Security | 2y ago Dec 28th, 2023 | /feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f | |
Attachment: Archive with embedded CHM file | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-archive-with-embedded-chm-file-5280e94d | |
Attachment: Archive with embedded EXE file | Sublime Security | 1y ago Feb 27th, 2024 | /feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86 | |
Attachment: Archive with pdf, txt and wsf files | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Callback Phishing solicitation via text-based file | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-ca39c83a | |
Attachment: .csproj with suspicious commands | Sublime Security | 2y ago Aug 17th, 2023 | /feeds/core/detection-rules/attachment-csproj-with-suspicious-commands-fe45b81d | |
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability | Sublime Security | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f | |
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability | Sublime Security | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-cve-2023-21716-microsoft-office-remote-code-execution-vulnerability-23714cca | |
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability | Sublime Security | 4mo ago Mar 21st, 2025 | /feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b | |
Attachment: Decoy PDF Author (Julie P.) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a | |
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282 | |
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment | @ajpc500 | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b | |
Attachment: Dropbox image lure with no Dropbox domains in links | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d | |
Attachment: EICAR String Present | @ajpc500 | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-eicar-string-present-592e2319 | |
Attachment: Embedded Javascript in SVG file | Sublime Security | 1mo ago Jun 2nd, 2025 | /feeds/core/detection-rules/attachment-embedded-javascript-in-svg-file-f70293bc | |
Attachment: Embedded VBScript in MHT file (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-embedded-vbscript-in-mht-file-unsolicited-b30353a6 | |
Attachment: EML containing a base64 encoded script | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445 | |
Attachment: EML file contains HTML attachment with login portal indicators | Sublime Security | 2y ago Oct 19th, 2023 | /feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158 | |
Attachment: EML file with HTML attachment (unsolicited) | Sublime Security | 3mo ago Mar 28th, 2025 | /feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191 | |
Attachment: EML file with IPFS links | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7 | |
Attachment: EML with Embedded Javascript in SVG File | Sublime Security | 3mo ago Apr 17th, 2025 | /feeds/core/detection-rules/attachment-eml-with-embedded-javascript-in-svg-file-dfafb78f | |
Attachment: EML with link to credential phishing page | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: EML with Suspicious Indicators | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d | |
Attachment: Emotet heavily padded doc in zip file | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-emotet-heavily-padded-doc-in-zip-file-9a5332ed | |
Attachment: Encrypted Microsoft Office file (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953 | |
Attachment: Encrypted PDF With Credential Theft Body | Sublime Security | 6d ago Jul 14th, 2025 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Excel Web Query File (IQY) | @jkcoote | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-excel-web-query-file-iqy-510412b5 | |
Attachment: Fake attachment image lure | Sublime Security | 9d ago Jul 11th, 2025 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake scan-to-email | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake secure message and suspicious indicators | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94 | |
Attachment: Fake Slack installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake Voicemail via PDF | Sublime Security | 2mo ago Apr 30th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fake Zoom installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: File execution via Javascript | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-file-execution-via-javascript-627ae0b1 | |
Attachment: Filename Containing Unicode Braille Pattern Blank Character | @vector_sec | 4mo ago Feb 20th, 2025 | /feeds/core/detection-rules/attachment-filename-containing-unicode-braille-pattern-blank-character-c230ca86 | |
Attachment: Filename Containing Unicode Right-to-Left Override Character | @vector_sec | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-filename-containing-unicode-right-to-left-override-character-357c57a1 | |
Attachment: HTML Attachment with Javascript location | @vector_sec | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-attachment-with-javascript-location-e0611295 | |
Attachment: HTML Attachment with Login Portal Indicators | @ajpc500 | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-html-attachment-with-login-portal-indicators-3aabf4a7 | |
Attachment: HTML file contains exclusively Javascript | Sublime Security | 1y ago Feb 1st, 2024 | /feeds/core/detection-rules/attachment-html-file-contains-exclusively-javascript-b6d38168 | |
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts | Sublime Security | 5mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a | |
Attachment: HTML file with excessive padding and suspicious patterns | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e | |
Attachment: HTML file with reference to recipient and suspicious patterns | Sublime Security | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d | |
Attachment: HTML smuggling 'body onload' linking to suspicious destination | Sublime Security | 2y ago Sep 22nd, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed | |
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text | Sublime Security | 2y ago Sep 25th, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d |