Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jul 17th, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373 | |
Attachment: EML with link to credential phishing page | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: Encrypted PDF With Credential Theft Body | Sublime Security | 6d ago Jul 14th, 2025 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Fake attachment image lure | Sublime Security | 9d ago Jul 11th, 2025 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake scan-to-email | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake secure message and suspicious indicators | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94 | |
Attachment: Fake Slack installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake Zoom installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: HTML smuggling - QR Code with suspicious links | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d | |
Attachment: Legal Themed Message with PDF Containing Suspicious Link | Sublime Security | 1mo ago Jun 6th, 2025 | /feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1y ago May 22nd, 2024 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: QR Code Link With Base64-Encoded Recipient Address | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with credential phishing indicators | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1 | |
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7 | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: USDA Bid Invitation Impersonation | Sublime Security | 1mo ago May 23rd, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
BEC: Employee impersonation with subject manipulation | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b | |
BEC/Fraud: Generic Scam attempt to Undisclosed Receipients | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-receipients-5dac401f | |
BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151 | |
BEC/Fraud - Student loan callback phishing | Sublime Security | 9mo ago Oct 4th, 2024 | /feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3 | |
BEC with unusual Reply-to or Return-path mismatch | Sublime Security | 10mo ago Aug 27th, 2024 | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Brand impersonation: Amazon with suspicious attachment | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Brand impersonation: Aramco | Sublime Security | 9mo ago Oct 10th, 2024 | /feeds/core/detection-rules/brand-impersonation-aramco-96e87699 | |
Brand impersonation: Binance | Sublime Security | 4mo ago Feb 24th, 2025 | /feeds/core/detection-rules/brand-impersonation-binance-c3302a76 | |
Brand Impersonation: Booking.com | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-bookingcom-d1d8882f | |
Brand Impersonation: Chase bank with credential phishing indicators | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/brand-impersonation-chase-bank-with-credential-phishing-indicators-d9577856 | |
Brand impersonation: DocuSign branded attachment lure with no DocuSign links | Sublime Security | 12d ago Jul 8th, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-branded-attachment-lure-with-no-docusign-links-814a5694 | |
Brand Impersonation: DocuSign pdf attachment with suspicious link | Sublime Security | 5mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand Impersonation: Exodus | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/brand-impersonation-exodus-40c77ecc | |
Brand impersonation: Interac | Sublime Security | 10mo ago Sep 16th, 2024 | /feeds/core/detection-rules/brand-impersonation-interac-50a883dc | |
Brand Impersonation: Internal Revenue Service | Sublime Security | 3mo ago Apr 7th, 2025 | /feeds/core/detection-rules/brand-impersonation-internal-revenue-service-3c63f8e9 | |
Brand Impersonation: Mailchimp | Sublime Security | 2mo ago May 5th, 2025 | /feeds/core/detection-rules/brand-impersonation-mailchimp-48b454c7 | |
Brand Impersonation: MetaMask | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-metamask-ddb4c618 | |
Brand impersonation: Microsoft logo or suspicious language with open redirect | Sublime Security | 1y ago Mar 7th, 2024 | /feeds/core/detection-rules/brand-impersonation-microsoft-logo-or-suspicious-language-with-open-redirect-27b8d8d8 | |
Brand Impersonation: Microsoft Planner With Suspicious Link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08 | |
Brand impersonation: Microsoft quarantine release notification in image attachment | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-quarantine-release-notification-in-image-attachment-185db6b3 | |
Brand impersonation: Microsoft with embedded logo and credential theft language | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-with-embedded-logo-and-credential-theft-language-3ee9ef3d | |
Brand impersonation: Microsoft with low reputation links | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-with-low-reputation-links-b59201b6 | |
Brand Impersonation: Navan | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-navan-3573e9a8 | |
Brand Impersonation: SendGrid | Sublime Security | 1mo ago Jun 9th, 2025 | /feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f | |
Brand impersonation: Sharepoint | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-sharepoint-284b1b70 | |
Brand Impersonation: TikTok | Sublime Security | 25d ago Jun 25th, 2025 | /feeds/core/detection-rules/brand-impersonation-tiktok-aaacc8b7 | |
Brand Impersonation: Trust Wallet | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-trust-wallet-e456974c | |
Brand impersonation: USPS | Sublime Security | 7mo ago Dec 16th, 2024 | /feeds/core/detection-rules/brand-impersonation-usps-28b9130a | |
Brand Impersonation: Vanguard | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/brand-impersonation-vanguard-3bd048fe |