Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jun 18th, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 1y ago Feb 23rd, 2024 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Attachment: Adobe image lure in body or attachment with suspicious link | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
Attachment: Callback Phishing solicitation via image file | @vector_sec | 3mo ago Mar 12th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 14h ago Jun 18th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Dropbox image lure with no Dropbox domains in links | Sublime Security | 1y ago Jan 23rd, 2024 | /feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d | |
Attachment: EML with link to credential phishing page | Sublime Security | 9mo ago Sep 13th, 2024 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: Fake attachment image lure | Sublime Security | 20d ago May 30th, 2025 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake scan-to-email | Sublime Security | 7mo ago Oct 28th, 2024 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake Voicemail via PDF | Sublime Security | 1mo ago Apr 30th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Microsoft 365 Credential Phishing | Sublime Security | 8mo ago Oct 16th, 2024 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1y ago May 22nd, 2024 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment soliciting user to enable macros | Sublime Security | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515 | |
Attachment: Suspicious PDF Created With Headless Browser | Sublime Security | 10d ago Jun 9th, 2025 | /feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7 | |
Attachment: USDA Bid Invitation Impersonation | Sublime Security | 27d ago May 23rd, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
Brand impersonation: Amazon with suspicious attachment | Sublime Security | 1mo ago May 14th, 2025 | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Brand impersonation: DocuSign branded attachment lure with no DocuSign links | Sublime Security | 15d ago Jun 4th, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-branded-attachment-lure-with-no-docusign-links-814a5694 | |
Brand Impersonation: DocuSign pdf attachment with suspicious link | Sublime Security | 4mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand Impersonation: Fake Fax | Sublime Security | 17d ago Jun 2nd, 2025 | /feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a | |
Brand impersonation: Google fake sign-in warning | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee | |
Brand Impersonation: Internal Revenue Service | Sublime Security | 2mo ago Apr 7th, 2025 | /feeds/core/detection-rules/brand-impersonation-internal-revenue-service-3c63f8e9 | |
Brand impersonation: Microsoft quarantine release notification in image attachment | Sublime Security | 11mo ago Jun 27th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-image-attachment-185db6b3 | |
Brand impersonation: Microsoft Teams | Sublime Security | 6mo ago Dec 3rd, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-9cd53055 | |
Brand impersonation: Microsoft with low reputation links | Sublime Security | 1mo ago May 7th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Brand Impersonation: SendGrid | Sublime Security | 10d ago Jun 9th, 2025 | /feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f | |
Brand Impersonation: TikTok | Sublime Security | 2mo ago Mar 31st, 2025 | /feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7 | |
Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Callback Phishing in body or attachment (untrusted sender) | Sublime Security | 7mo ago Nov 5th, 2024 | /feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94 | |
Callback Phishing: Social Security Administration Fraud | Sublime Security | 3mo ago Feb 24th, 2025 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Callback Phishing via extensionless rfc822 attachment | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4 | |
Callback phishing via Google Group abuse | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b | |
Callback phishing via Intuit service abuse | Sublime Security | 29d ago May 21st, 2025 | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Callback phishing via Zoho service abuse | Sublime Security | 5mo ago Jan 10th, 2025 | /feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec | |
Commonly abused sender TLD with engaging language | Sublime Security | 10mo ago Aug 16th, 2024 | /feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc | |
Compensation Review With QR Code in Attached EML | Sublime Security | 2mo ago Apr 3rd, 2025 | /feeds/core/detection-rules/compensation-review-with-qr-code-in-attached-eml-98a2f03c | |
Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links | Sublime Security | 8mo ago Sep 26th, 2024 | /feeds/core/detection-rules/credential-phishing-docusign-embedded-image-lure-with-no-docusign-domains-in-links-dfe8715e | |
Credential Phishing: Image as content, short or no body contents | Sublime Security | 2y ago Sep 8th, 2023 | /feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38 | |
Extortion / Sextortion in Attachment From Untrusted Sender | Sublime Security | 17d ago Jun 2nd, 2025 | /feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c | |
Fake scan-to-email message | Sublime Security | 1y ago Jun 7th, 2024 | /feeds/core/detection-rules/fake-scan-to-email-message-78851fbe | |
Free subdomain link with credential theft indicators | Sublime Security | 6mo ago Dec 12th, 2024 | /feeds/core/detection-rules/free-subdomain-link-with-credential-theft-indicators-9187479c | |
Google Accelerated Mobile Pages (AMP) abuse | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/google-accelerated-mobile-pages-amp-abuse-46907029 | |
Google Drive abuse: Credential phishing link | Sublime Security | 10mo ago Jul 31st, 2024 | /feeds/core/detection-rules/google-drive-abuse-credential-phishing-link-c74aece0 | |
Issuu Document With Suspicious Embedded Link | Sublime Security | 1mo ago May 5th, 2025 | /feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d | |
Link: Figma Design Deck With Credential Phishing Language | Sublime Security | 1mo ago May 7th, 2025 | /feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924 | |
Link: Microsoft Dynamics 365 form phishing | Sublime Security | 7mo ago Nov 14th, 2024 | /feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085 | |
Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF | Sublime Security | 3d ago Jun 16th, 2025 | /feeds/core/detection-rules/link-multistage-landing-abuse-adobe-acrobat-hosted-pdf-609081ef | |
Link: Multistage Landing - Ludus Presentation | Sublime Security | 1mo ago May 14th, 2025 | /feeds/core/detection-rules/link-multistage-landing-ludus-presentation-a8b3c311 | |
Link: Multistage Landing - Scribd Document | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/link-multistage-landing-scribd-document-afa9807d | |
Link: QuickBooks image lure with suspicious link | Sublime Security | 1y ago May 2nd, 2024 | /feeds/core/detection-rules/link-quickbooks-image-lure-with-suspicious-link-3826a923 |