Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jun 18th, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: Adobe image lure in body or attachment with suspicious link | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/attachment-adobe-image-lure-in-body-or-attachment-with-suspicious-link-1d7add81 | |
Attachment: Calendar invite with suspicious link leading to an open redirect | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-calendar-invite-with-suspicious-link-leading-to-an-open-redirect-5d6294c7 | |
Attachment: Callback Phishing solicitation via image file | @vector_sec | 3mo ago Mar 12th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282 | |
Attachment: EML file with IPFS links | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7 | |
Attachment: EML with link to credential phishing page | Sublime Security | 9mo ago Sep 13th, 2024 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: Fake Slack installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake Voicemail via PDF | Sublime Security | 1mo ago Apr 30th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fake Zoom installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: HTML smuggling 'body onload' linking to suspicious destination | Sublime Security | 2y ago Sep 22nd, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed | |
Attachment: HTML Smuggling Microsoft Sign In | Sublime Security | 1y ago Jan 31st, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385 | |
Attachment: HTML smuggling - QR Code with suspicious links | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d | |
Attachment: HTML smuggling with atob and high entropy | Sublime Security | 9mo ago Aug 29th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11 | |
Attachment: HTML smuggling with auto-downloaded file | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-auto-downloaded-file-abf724f5 | |
Attachment: Legal Themed Message with PDF Containing Suspicious Link | Sublime Security | 13d ago Jun 6th, 2025 | /feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301 | |
Attachment: Link to Doubleclick.net Open Redirect | Sublime Security | 7mo ago Oct 24th, 2024 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Office document loads remote document template | Sublime Security | 1y ago Feb 12th, 2024 | /feeds/core/detection-rules/attachment-office-document-loads-remote-document-template-d9601104 | |
Attachment: Office Document with VSTO Add-in | @vector_sec | 1y ago Jan 11th, 2024 | /feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 6mo ago Dec 18th, 2024 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: PDF file with Link to Fake Bitcoin Exchange | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with link to DMG file download | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1y ago May 22nd, 2024 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: QR code with credential phishing indicators | Sublime Security | 2mo ago Apr 14th, 2025 | /feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1 | |
Attachment: RTF file with suspicious link | Sublime Security | 10mo ago Aug 2nd, 2024 | /feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa | |
Attachment: Small text file with link containing recipient email address | Sublime Security | 7mo ago Oct 23rd, 2024 | /feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d | |
Brand Impersonation: AliExpress | Sublime Security | 1mo ago Apr 28th, 2025 | /feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8 | |
Brand Impersonation: Chase bank with credential phishing indicators | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/brand-impersonation-chase-bank-with-credential-phishing-indicators-d9577856 | |
Brand Impersonation: Coinbase with suspicious links | Sublime Security | 2y ago Nov 18th, 2023 | /feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e | |
Brand impersonation: DocuSign | Sublime Security | 29d ago May 21st, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-4d29235c | |
Brand Impersonation: DocuSign pdf attachment with suspicious link | Sublime Security | 4mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains | Sublime Security | 16d ago Jun 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-fake-docusign-html-table-not-linking-to-docusign-domains-28923dde | |
Brand Impersonation: Fake Fax | Sublime Security | 17d ago Jun 2nd, 2025 | /feeds/core/detection-rules/brand-impersonation-fake-fax-2a96b90a | |
Brand impersonation: Google Drive fake file share | Sublime Security | 21d ago May 29th, 2025 | /feeds/core/detection-rules/brand-impersonation-google-drive-fake-file-share-b424a941 | |
Brand impersonation: Google fake sign-in warning | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/brand-impersonation-google-fake-sign-in-warning-2d998eee | |
Brand impersonation: Microsoft logo or suspicious language with open redirect | Sublime Security | 1y ago Mar 7th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-logo-or-suspicious-language-with-open-redirect-27b8d8d8 | |
Brand Impersonation: Microsoft Planner With Suspicious Link | Sublime Security | 8mo ago Oct 9th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08 | |
Brand Impersonation: Microsoft Teams Invitation | Sublime Security | 1mo ago May 5th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-teams-invitation-46410ad8 | |
Brand impersonation: Microsoft with low reputation links | Sublime Security | 1mo ago May 7th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Brand Impersonation: Navan | Sublime Security | 2mo ago Apr 4th, 2025 | /feeds/core/detection-rules/brand-impersonation-navan-3573e9a8 | |
Brand impersonation: Sharepoint fake file share | Sublime Security | 7d ago Jun 12th, 2025 | /feeds/core/detection-rules/brand-impersonation-sharepoint-fake-file-share-ff8b296b | |
Brand Impersonation: Stripe Notification | Sublime Security | 9mo ago Aug 27th, 2024 | /feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03 | |
Brand Impersonation: Zoom | Sublime Security | 1mo ago May 15th, 2025 | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Callback Phishing via Adobe Sign comment | Sublime Security | 1mo ago Apr 25th, 2025 | /feeds/core/detection-rules/callback-phishing-via-adobe-sign-comment-7eb4516d | |
Callback Phishing via DocuSign comment | Sublime Security | 5mo ago Jan 2nd, 2025 | /feeds/core/detection-rules/callback-phishing-via-docusign-comment-48aec918 | |
Callback Phishing via Xodo Sign comment | Sublime Security | 1mo ago Apr 28th, 2025 | /feeds/core/detection-rules/callback-phishing-via-xodo-sign-comment-6f722c5d | |
Canva Design With Suspicious Embedded Link | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22 | |
ClickFunnels link infrastructure abuse | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 |