Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 21st, 2025

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d	Sublime Security	11mo ago Apr 25th, 2024	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois	/feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282
BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns	Sublime Security	13d ago Mar 10th, 2025	BEC/Fraud Callback Phishing Spam Impersonation: Brand Social engineering Free email provider Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0
Brand impersonation: Microsoft fake sign-in alert	Sublime Security	11mo ago Apr 25th, 2024	Credential Phishing Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/brand-impersonation-microsoft-fake-sign-in-alert-3f4c9e7a
Brand impersonation: Silicon Valley Bank	Sublime Security	11mo ago Apr 25th, 2024	Credential Phishing Impersonation: Brand Lookalike domain Social engineering Sender analysis Whois	/feeds/core/detection-rules/brand-impersonation-silicon-valley-bank-a01f61d9
Brand Impersonation: Stripe Notification	Sublime Security	6mo ago Aug 27th, 2024	Credential Phishing Evasion Impersonation: Brand Social engineering Content analysis Header analysis URL analysis Whois	/feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03
Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old	Sublime Security	11mo ago Apr 25th, 2024	Callback Phishing Impersonation: Brand Out of band pivot Social engineering Header analysis Natural Language Understanding Optical Character Recognition Whois	/feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53
Impersonation: Suspected supplier impersonation with suspicious content	Sublime Security	1mo ago Feb 3rd, 2025	BEC/Fraud Evasion Free email provider Lookalike domain Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce
Link: Abused Adobe Express	Sublime Security	3mo ago Dec 16th, 2024	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd
Link: Google Firebase Dynamic Link that Redirects to New Domain (<7 days old)	@ajpc500	11mo ago Apr 25th, 2024	Credential Phishing Malware/Ransomware Evasion URL analysis Whois	/feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37
Link: Multistage Landing - Abused Adobe frame.io	Sublime Security	20d ago Mar 3rd, 2025	Credential Phishing Evasion Free file host Content analysis Whois Computer Vision URL analysis HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-adobe-frameio-a6c457c5
Link: Multistage Landing - Abused Docusign	Sublime Security	2mo ago Jan 3rd, 2025	Credential Phishing Evasion Free subdomain host Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-docusign-4189a645
Link: Multistage Landing - Abused Google Drive	Sublime Security	3mo ago Dec 3rd, 2024	Credential Phishing Evasion Free email provider Free file host Content analysis Sender analysis URL analysis Whois HTML analysis	/feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4
New link domain (<=10d) from untrusted sender	Sublime Security	11mo ago Apr 25th, 2024	Credential Phishing Malware/Ransomware Sender analysis URL analysis Whois	/feeds/core/detection-rules/new-link-domain-less10d-from-untrusted-sender-4805b0e6
New sender domain (<=10d) from untrusted sender	Sublime Security	4mo ago Nov 20th, 2024	Sender analysis Whois	/feeds/core/detection-rules/new-sender-domain-less10d-from-untrusted-sender-d87fa543
Recruitee Infrastructure Abuse	Sublime Security	20d ago Mar 3rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Content analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/recruitee-infrastructure-abuse-31cab83d
Service Abuse: Google Drive Share From New Reply-To Domain	Sublime Security	2mo ago Jan 9th, 2025	BEC/Fraud Callback Phishing Credential Phishing Free email provider Social engineering Free file host Header analysis Sender analysis Whois	/feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367
Spam: Fake photo share	Sublime Security	2mo ago Jan 9th, 2025	Spam Evasion Social engineering Content analysis Sender analysis URL analysis Whois	/feeds/core/detection-rules/spam-fake-photo-share-eb086f7d
Spam: New link domain (<=10d) and emojis	Sublime Security	11mo ago Apr 25th, 2024	Spam Free email provider Content analysis Sender analysis URL analysis Whois	/feeds/core/detection-rules/spam-new-link-domain-less10d-and-emojis-33677993
Suspected Lookalike domain with suspicious language	Sublime Security	2mo ago Dec 24th, 2024	BEC/Fraud Evasion Lookalike domain Social engineering Content analysis Natural Language Understanding Sender analysis Whois	/feeds/core/detection-rules/suspected-lookalike-domain-with-suspicious-language-3674ced0
Suspicious newly registered reply-to domain with engaging financial or urgent language	Sublime Security	6mo ago Sep 16th, 2024	BEC/Fraud Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis Whois	/feeds/core/detection-rules/suspicious-newly-registered-reply-to-domain-with-engaging-financial-or-urgent-language-db4d9bb3
VIP impersonation: Fake thread with display name match, email mismatch	Sublime Security	7mo ago Jul 29th, 2024	BEC/Fraud Evasion Impersonation: VIP Social engineering Spoofing Content analysis Header analysis Sender analysis Whois	/feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28