Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Apr 28th, 2025

Feed Source

GitHub

Detection Method is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: MSI Installer file	@ajpc500	2y ago Aug 21st, 2023	Malware/Ransomware Evasion Archive analysis File analysis	/feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9
Attachment: Office document loads remote document template	Sublime Security	1y ago Feb 12th, 2024	Malware/Ransomware Archive analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-office-document-loads-remote-document-template-d9601104
Attachment: Office Document with VSTO Add-in	@vector_sec	1y ago Jan 11th, 2024	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: Office file with suspicious function calls or downloaded file path	Sublime Security	1y ago Feb 9th, 2024	Malware/Ransomware Evasion Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969
Attachment: OLE external relationship containing file scheme link to executable filetype	Sublime Security	12d ago Apr 17th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4
Attachment: OLE external relationship containing file scheme link to IP address	Sublime Security	1y ago Apr 12th, 2024	Malware/Ransomware Evasion Archive analysis Content analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	12mo ago May 3rd, 2024	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	12mo ago May 3rd, 2024	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859
Attachment: PDF with link to DMG file download	Sublime Security	1y ago Apr 25th, 2024	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0
Attachment: PDF with link to zip containing a wsf file	Sublime Security	1y ago Apr 25th, 2024	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4
Attachment: PowerShell Content	@ajpc500	2y ago Aug 21st, 2023	Malware/Ransomware Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-powershell-content-c12566db
Attachment: RDP Connection file	@ajpc500	2y ago Aug 21st, 2023	Malware/Ransomware Credential Phishing Archive analysis File analysis	/feeds/core/detection-rules/attachment-rdp-connection-file-2409a422
Attachment: RTF file with suspicious link	Sublime Security	9mo ago Aug 2nd, 2024	Credential Phishing Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa
Attachment soliciting user to enable macros	Sublime Security	2y ago Dec 19th, 2023	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment: SVG file execution	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Scripting Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-svg-file-execution-084b0cde
Attachment: Uncommon compressed file	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Credential Phishing Archive analysis File analysis	/feeds/core/detection-rules/attachment-uncommon-compressed-file-0c6fba7a
Attachment with auto-executing macro (unsolicited)	Sublime Security	2y ago Dec 19th, 2023	Malware/Ransomware Macros Archive analysis Header analysis File analysis Macro analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment with auto-opening VBA macro (unsolicited)	Sublime Security	2y ago Dec 19th, 2023	Malware/Ransomware Macros Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment with encrypted zip (unsolicited)	Sublime Security	2y ago Nov 25th, 2023	Malware/Ransomware Evasion Encryption Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae
Attachment with macro calling executable	Sublime Security	2y ago Dec 19th, 2023	Malware/Ransomware Evasion Macros Archive analysis File analysis	/feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197
Attachment with unscannable encrypted zip (unsolicited)	Sublime Security	2y ago Nov 1st, 2023	Malware/Ransomware Encryption Evasion Archive analysis File analysis Sender analysis YARA	/feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a
Attachment with VBA macros from employee impersonation (unsolicited)	Sublime Security	1y ago Feb 26th, 2024	Malware/Ransomware Impersonation: Employee Macros Social engineering Archive analysis File analysis Macro analysis Sender analysis	/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
HTML smuggling containing recipient email address	Sublime Security	28d ago Apr 1st, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Link to auto-downloaded disk image in encrypted zip	@ajpc500	1y ago Apr 25th, 2024	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in archive	Sublime Security	1y ago Apr 25th, 2024	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-archive-dc04cdd8
Link to auto-downloaded DMG in encrypted zip	Sublime Security	1y ago Apr 25th, 2024	Malware/Ransomware Encryption Evasion Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Link to auto-download of a suspicious file type (unsolicited)	Sublime Security	1mo ago Mar 5th, 2025	Malware/Ransomware Encryption Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis YARA	/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)	Sublime Security	2y ago Dec 20th, 2023	Malware/Ransomware Evasion Archive analysis File analysis Sender analysis Threat intelligence	/feeds/core/detection-rules/malwarebazaar-malicious-attachment-hash-in-archive-trusted-reporters-9d734281
Malware: Pikabot delivery via URL auto-download	Sublime Security	1y ago Apr 25th, 2024	Malware/Ransomware Evasion Archive analysis File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/malware-pikabot-delivery-via-url-auto-download-f4be4572
Non-RFC Compliant Calendar Files from unsolicited sender	Sublime Security	5mo ago Nov 20th, 2024	Evasion Social engineering Archive analysis Content analysis File analysis Sender analysis	/feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100
QR code to auto-download of a suspicious file type (unsolicited)	Sublime Security	5mo ago Nov 20th, 2024	Malware/Ransomware Evasion LNK Social engineering Archive analysis File analysis Sender analysis URL analysis QR code analysis	/feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2