Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 13th, 2026

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	8mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD	Sublime Security	4mo ago Nov 3rd, 2025	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Compensation review lure with QR code	Sublime Security	3mo ago Dec 10th, 2025	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis
Attachment: Credit card application with WhatsApp contact	Sublime Security	3mo ago Nov 20th, 2025	BEC/Fraud Social engineering Out of band pivot Content analysis File analysis Natural Language Understanding QR code analysis
Attachment: EML with link to credential phishing page	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot
Attachment: Encrypted PDF with credential theft body	Sublime Security	16d ago Feb 26th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Fake attachment image lure	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition
Attachment: Fake scan-to-email	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Fake secure message and suspicious indicators	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Fake Slack installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fake Zoom installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fictitious invoice using LinkedIn's address	Sublime Security	6mo ago Sep 3rd, 2025	BEC/Fraud PDF Social engineering File analysis Optical Character Recognition Natural Language Understanding Content analysis Exif analysis
Attachment: HTML smuggling - QR Code with suspicious links	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing QR code Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot
Attachment: Legal themed message or PDF with suspicious indicators	Sublime Security	1mo ago Feb 5th, 2026	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Office file contains OLE relationship to credential phishing page	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion Social engineering File analysis HTML analysis Natural Language Understanding OLE analysis URL analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Attachment: PDF with Microsoft Purview message impersonation	Sublime Security	4mo ago Nov 10th, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Content analysis
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: QR code link with base64-encoded recipient address	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis
Attachment: QR code with credential phishing indicators	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing QR code Social engineering Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender	Sublime Security	4mo ago Nov 4th, 2025	Credential Phishing Evasion Social engineering File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: RFP/RFQ impersonating government entities	Sublime Security	2y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: USDA bid invitation impersonation	Sublime Security	7mo ago Aug 5th, 2025	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
BEC: Employee impersonation with subject manipulation	Sublime Security	1mo ago Jan 16th, 2026	BEC/Fraud Impersonation: Employee Social engineering Content analysis Natural Language Understanding Sender analysis
BEC/Fraud: Generic scam attempt to undisclosed recipients	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
BEC/Fraud: Job scam fake thread or plaintext pivot to freemail	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Free email provider Out of band pivot Content analysis File analysis Natural Language Understanding
BEC/Fraud: Student loan callback phishing	Sublime Security	6mo ago Sep 5th, 2025	BEC/Fraud Free email provider Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis
BEC with unusual reply-to or return-path mismatch	Sublime Security	11d ago Mar 3rd, 2026	BEC/Fraud Evasion Free email provider Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Brand impersonation: Amazon Web Services (AWS)	Sublime Security	5mo ago Oct 10th, 2025	Credential Phishing Impersonation: Brand Social engineering Content analysis Header analysis Optical Character Recognition Sender analysis Natural Language Understanding
Brand impersonation: Amazon with suspicious attachment	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis
Brand impersonation: Aramco	Sublime Security	1mo ago Jan 28th, 2026	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis
Brand impersonation: Binance	Sublime Security	6mo ago Sep 3rd, 2025	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis
Brand impersonation: Booking.com	Sublime Security	2d ago Mar 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Natural Language Understanding Header analysis Sender analysis
Brand impersonation: Chase bank with credential phishing indicators	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision File analysis Natural Language Understanding Sender analysis URL analysis
Brand Impersonation: Disney	Sublime Security	10d ago Mar 4th, 2026	Credential Phishing Impersonation: Brand Social engineering Computer Vision Natural Language Understanding Content analysis Header analysis Sender analysis
Brand impersonation: DocuSign branded attachment lure with no DocuSign links	Sublime Security	4mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL screenshot
Brand impersonation: DocuSign PDF attachment with suspicious link	Sublime Security	4mo ago Oct 22nd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis
Brand impersonation: Exodus	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Impersonation: Brand Social engineering Header analysis Natural Language Understanding Sender analysis
Brand impersonation: GitHub with callback scam indicators	Sublime Security	3d ago Mar 11th, 2026	Callback Phishing Impersonation: Brand Out of band pivot Social engineering Content analysis Natural Language Understanding Sender analysis
Brand impersonation: Interac	Sublime Security	2y ago Sep 16th, 2024	BEC/Fraud Impersonation: Brand Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Brand impersonation: Internal Revenue Service	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Optical Character Recognition Sender analysis
Brand impersonation: LastPass	Sublime Security	9d ago Mar 5th, 2026	Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Header analysis
Brand impersonation: Mailchimp	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Impersonation: Brand Social engineering Computer Vision Natural Language Understanding Content analysis Header analysis Sender analysis
Brand impersonation: McAfee	Sublime Security	3d ago Mar 11th, 2026	Credential Phishing BEC/Fraud Callback Phishing Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis
Brand impersonation: MetaMask	Sublime Security	5mo ago Sep 22nd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Computer Vision Natural Language Understanding Sender analysis Header analysis
Brand impersonation: Microsoft logo or suspicious language with open redirect	Sublime Security	2y ago Mar 7th, 2024	BEC/Fraud Impersonation: Brand Open redirect Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis
Brand impersonation: Microsoft Planner with suspicious link	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Evasion Image as content Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis
Brand impersonation: Microsoft quarantine release notification in image attachment	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Free file host Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis

208 Rules

Page 1 of 5