Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Mar 21st, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 1y ago Feb 23rd, 2024 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Attachment: Adobe image lure in body or attachment with suspicious link | Sublime Security | 1mo ago Feb 7th, 2025 | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
Attachment: Callback Phishing solicitation via image file | @vector_sec | 11d ago Mar 12th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 25d ago Feb 26th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Dropbox image lure with no Dropbox domains in links | Sublime Security | 1y ago Jan 23rd, 2024 | /feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d | |
Attachment: EML with link to credential phishing page | Sublime Security | 6mo ago Sep 13th, 2024 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: Fake attachment image lure | Sublime Security | 8mo ago Jul 19th, 2024 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake scan-to-email | Sublime Security | 4mo ago Oct 28th, 2024 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Microsoft 365 Credential Phishing | Sublime Security | 5mo ago Oct 16th, 2024 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 10mo ago May 22nd, 2024 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment soliciting user to enable macros | Sublime Security | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515 | |
Brand impersonation: Amazon with suspicious attachment | Sublime Security | 10mo ago May 3rd, 2024 | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Brand impersonation: DocuSign branded attachment lure with no DocuSign links | Sublime Security | 1mo ago Feb 20th, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-branded-attachment-lure-with-no-docusign-links-814a5694 | |
Brand Impersonation: DocuSign pdf attachment with suspicious link | Sublime Security | 1mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand impersonation: Fake fax | Sublime Security | 1y ago Feb 23rd, 2024 | /feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a | |
Brand impersonation: Google fake sign-in warning | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee | |
Brand impersonation: Microsoft quarantine release notification in image attachment | Sublime Security | 8mo ago Jun 27th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-image-attachment-185db6b3 | |
Brand impersonation: Microsoft Teams | Sublime Security | 3mo ago Dec 3rd, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-9cd53055 | |
Brand impersonation: Microsoft with low reputation links | Sublime Security | 3mo ago Dec 18th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Brand Impersonation: SendGrid | Sublime Security | 5d ago Mar 18th, 2025 | /feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f | |
Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old | Sublime Security | 11mo ago Apr 25th, 2024 | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Callback Phishing in body or attachment (untrusted sender) | Sublime Security | 4mo ago Nov 5th, 2024 | /feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94 | |
Callback Phishing: Social Security Administration Fraud | Sublime Security | 27d ago Feb 24th, 2025 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Callback Phishing via extensionless rfc822 attachment | Sublime Security | 11mo ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4 | |
Callback phishing via Google Group abuse | Sublime Security | 11mo ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b | |
Callback phishing via Intuit service abuse | Sublime Security | 6d ago Mar 17th, 2025 | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Callback phishing via Zoho service abuse | Sublime Security | 2mo ago Jan 10th, 2025 | /feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec | |
Commonly abused sender TLD with engaging language | Sublime Security | 7mo ago Aug 16th, 2024 | /feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc | |
Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links | Sublime Security | 5mo ago Sep 26th, 2024 | /feeds/core/detection-rules/credential-phishing-docusign-embedded-image-lure-with-no-docusign-domains-in-links-dfe8715e | |
Credential Phishing: Image as content, short or no body contents | Sublime Security | 2y ago Sep 8th, 2023 | /feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38 | |
Extortion / Sextortion in Attachment From Untrusted Sender | Sublime Security | 3mo ago Dec 18th, 2024 | /feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c | |
Fake scan-to-email message | Sublime Security | 9mo ago Jun 7th, 2024 | /feeds/core/detection-rules/fake-scan-to-email-message-78851fbe | |
Free subdomain link with credential theft indicators | Sublime Security | 3mo ago Dec 12th, 2024 | /feeds/core/detection-rules/free-subdomain-link-with-credential-theft-indicators-9187479c | |
Google Accelerated Mobile Pages (AMP) abuse | Sublime Security | 11mo ago Apr 25th, 2024 | /feeds/core/detection-rules/google-accelerated-mobile-pages-amp-abuse-46907029 | |
Google Drive abuse: Credential phishing link | Sublime Security | 7mo ago Jul 31st, 2024 | /feeds/core/detection-rules/google-drive-abuse-credential-phishing-link-c74aece0 | |
Link: Microsoft Dynamics 365 form phishing | Sublime Security | 4mo ago Nov 14th, 2024 | /feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085 | |
Link: QuickBooks image lure with suspicious link | Sublime Security | 10mo ago May 2nd, 2024 | /feeds/core/detection-rules/link-quickbooks-image-lure-with-suspicious-link-3826a923 | |
Link to auto-downloaded file with Adobe branding | Sublime Security | 11mo ago Apr 25th, 2024 | /feeds/core/detection-rules/link-to-auto-downloaded-file-with-adobe-branding-e826c2cf | |
Link to auto-downloaded file with Google Drive branding | Sublime Security | 11mo ago Apr 25th, 2024 | /feeds/core/detection-rules/link-to-auto-downloaded-file-with-google-drive-branding-4b5343be | |
Open Redirect: Google domain with /url path and suspicious indicators | Sublime Security | 2mo ago Jan 10th, 2025 | /feeds/core/detection-rules/open-redirect-google-domain-with-url-path-and-suspicious-indicators-fc5adf74 | |
Suspicious Attachment: Duplicate decoy PDF files | Sublime Security | 5d ago Mar 18th, 2025 | /feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7 | |
Suspicious recipient pattern and language with low reputation link to login | Sublime Security | 10mo ago Apr 30th, 2024 | /feeds/core/detection-rules/suspicious-recipient-pattern-and-language-with-low-reputation-link-to-login-a8ea0402 | |
X (Twitter) Impersonation with Credential Phishing motives | Sublime Security | 3mo ago Dec 16th, 2024 | /feeds/core/detection-rules/x-twitter-impersonation-with-credential-phishing-motives-0b60dca6 |