Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jun 18th, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Brand impersonation: Wise | Sublime Security | 3mo ago Feb 20th, 2025 | /feeds/core/detection-rules/brand-impersonation-wise-01480f95 | |
Brand Impersonation: Zoom | Sublime Security | 1mo ago May 15th, 2025 | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Business Email Compromise (BEC) attempt from untrusted sender | Sublime Security | 11mo ago Jun 24th, 2024 | /feeds/core/detection-rules/business-email-compromise-bec-attempt-from-untrusted-sender-96d4c35a | |
Business Email Compromise (BEC) with request for mobile number | Sublime Security | 2mo ago Apr 4th, 2025 | /feeds/core/detection-rules/business-email-compromise-bec-with-request-for-mobile-number-514ffd68 | |
Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/callback-phishing-branded-invoice-from-senderreply-to-domain-less-than-30-days-old-e6f4af53 | |
Callback Phishing in body or attachment (untrusted sender) | Sublime Security | 7mo ago Nov 5th, 2024 | /feeds/core/detection-rules/callback-phishing-in-body-or-attachment-untrusted-sender-b93c6f94 | |
Callback Phishing via Calendar Invite | Sublime Security | 2mo ago Apr 14th, 2025 | /feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360 | |
Callback Phishing via extensionless rfc822 attachment | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-extensionless-rfc822-attachment-197722c4 | |
Callback phishing via Google Group abuse | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b | |
Canva Design With Suspicious Embedded Link | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/canva-design-with-suspicious-embedded-link-02959e22 | |
Canva Infrastructure Abuse | Sublime Security | 2mo ago Apr 1st, 2025 | /feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c | |
Commonly abused sender TLD with engaging language | Sublime Security | 10mo ago Aug 16th, 2024 | /feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc | |
Corporate Services Impersonation Phishing | Sublime Security | 21d ago May 29th, 2025 | /feeds/core/detection-rules/corporate-services-impersonation-phishing-3cd04f33 | |
COVID-19 themed fraud with sender and reply-to mismatch or compensation award | Sublime Security | 3mo ago Mar 4th, 2025 | /feeds/core/detection-rules/covid-19-themed-fraud-with-sender-and-reply-to-mismatch-or-compensation-award-a16480ef | |
Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links | Sublime Security | 8mo ago Sep 26th, 2024 | /feeds/core/detection-rules/credential-phishing-docusign-embedded-image-lure-with-no-docusign-domains-in-links-dfe8715e | |
Credential phishing: Email delivery failure impersonation | Sublime Security | 13d ago Jun 6th, 2025 | /feeds/core/detection-rules/credential-phishing-email-delivery-failure-impersonation-ee318b89 | |
Credential phishing: Engaging language and other indicators (untrusted sender) | Sublime Security | 15h ago Jun 18th, 2025 | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
Credential phishing: Engaging language with IPFS link | Sublime Security | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/credential-phishing-engaging-language-with-ipfs-link-996c4d83 | |
Credential Phishing: Fake Password Expiration from New and Unsolicited sender | Sublime Security | 4mo ago Feb 11th, 2025 | /feeds/core/detection-rules/credential-phishing-fake-password-expiration-from-new-and-unsolicited-sender-5d9c3a75 | |
Credential Phishing: Image as content, short or no body contents | Sublime Security | 2y ago Sep 8th, 2023 | /feeds/core/detection-rules/credential-phishing-image-as-content-short-or-no-body-contents-01313f38 | |
Credential phishing language and suspicious indicators (unknown sender) | Sublime Security | 3mo ago Feb 24th, 2025 | /feeds/core/detection-rules/credential-phishing-language-and-suspicious-indicators-unknown-sender-89c186f7 | |
Credential phishing: Onedrive impersonation | Sublime Security | 15d ago Jun 4th, 2025 | /feeds/core/detection-rules/credential-phishing-onedrive-impersonation-1f990c92 | |
Credential phishing: 'Secure message' and engaging language | Sublime Security | 13d ago Jun 6th, 2025 | /feeds/core/detection-rules/credential-phishing-secure-message-and-engaging-language-bd95a7b1 | |
Credential Phishing: Suspicious language, link, recipients and other indicators | Sublime Security | 1y ago Feb 23rd, 2024 | /feeds/core/detection-rules/credential-phishing-suspicious-language-link-recipients-and-other-indicators-dcb39190 | |
Credential Phishing: Suspicious subject with urgent financial request and link | Sublime Security | 9mo ago Sep 13th, 2024 | /feeds/core/detection-rules/credential-phishing-suspicious-subject-with-urgent-financial-request-and-link-056464f4 | |
Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request | Sublime Security | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/domain-impersonation-freemail-replytolocal-lookalike-with-financial-request-43026a40 | |
EML attachment with credential theft language (unknown sender) | Sublime Security | 7d ago Jun 12th, 2025 | /feeds/core/detection-rules/eml-attachment-with-credential-theft-language-unknown-sender-00e06af1 | |
Employee impersonation with urgent request (untrusted sender) | Sublime Security | 11mo ago Jul 17th, 2024 | /feeds/core/detection-rules/employee-impersonation-with-urgent-request-untrusted-sender-1ce9a146 | |
Extortion / Sextortion in Attachment From Untrusted Sender | Sublime Security | 17d ago Jun 2nd, 2025 | /feeds/core/detection-rules/extortion-sextortion-in-attachment-from-untrusted-sender-3cb8d32c | |
Extortion / sextortion (untrusted sender) | Sublime Security | 17d ago Jun 2nd, 2025 | /feeds/core/detection-rules/extortion-sextortion-untrusted-sender-265913eb | |
Fake email quarantine notification | Sublime Security | 3d ago Jun 16th, 2025 | /feeds/core/detection-rules/fake-email-quarantine-notification-73f26a3d | |
Fake message thread with a suspicious link and engaging language from an unknown sender | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/fake-message-thread-with-a-suspicious-link-and-engaging-language-from-an-unknown-sender-8fd0e211 | |
Fake request for tax preparation | Sublime Security | 22d ago May 28th, 2025 | /feeds/core/detection-rules/fake-request-for-tax-preparation-e36b85b3 | |
Fake shipping notification with suspicious language | Sublime Security | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/fake-shipping-notification-with-suspicious-language-67748b0a | |
Fake thread with suspicious indicators | Sublime Security | 10mo ago Aug 7th, 2024 | /feeds/core/detection-rules/fake-thread-with-suspicious-indicators-c2e18a57 | |
Fake voicemail notification (untrusted sender) | Sublime Security | 23d ago May 27th, 2025 | /feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787 | |
Free subdomain link with credential theft indicators | Sublime Security | 6mo ago Dec 12th, 2024 | /feeds/core/detection-rules/free-subdomain-link-with-credential-theft-indicators-9187479c | |
Google Accelerated Mobile Pages (AMP) abuse | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/google-accelerated-mobile-pages-amp-abuse-46907029 | |
Google Drive abuse: Credential phishing link | Sublime Security | 10mo ago Jul 31st, 2024 | /feeds/core/detection-rules/google-drive-abuse-credential-phishing-link-c74aece0 | |
Honorific greeting BEC attempt with sender and reply-to mismatch | Sublime Security | 9mo ago Aug 27th, 2024 | /feeds/core/detection-rules/honorific-greeting-bec-attempt-with-sender-and-reply-to-mismatch-aa41b1b7 | |
HR Impersonation via E-sign Agreement Comment | Sublime Security | 1mo ago May 5th, 2025 | /feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f | |
Impersonation: Human Resources with link or attachment and engaging language | Sublime Security | 2mo ago Apr 14th, 2025 | /feeds/core/detection-rules/impersonation-human-resources-with-link-or-attachment-and-engaging-language-8c95a6a8 | |
Impersonation: Suspected supplier impersonation with suspicious content | Sublime Security | 4mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce | |
Issuu Document With Suspicious Embedded Link | Sublime Security | 1mo ago May 5th, 2025 | /feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d | |
Job Scam (unsolicited sender) | Sublime Security | 3mo ago Mar 10th, 2025 | /feeds/core/detection-rules/job-scam-unsolicited-sender-a37dc32d | |
Link: Adobe Share with Suspicious Indicators | Sublime Security | 6mo ago Dec 3rd, 2024 | /feeds/core/detection-rules/link-adobe-share-with-suspicious-indicators-b33cae80 | |
Link: Credential Phishing traversing Russian infrastructure | Sublime Security | 11mo ago Jul 19th, 2024 | /feeds/core/detection-rules/link-credential-phishing-traversing-russian-infrastructure-a5203e3b | |
Link: Display Text Matches Subject Line | Sublime Security | 1mo ago May 9th, 2025 | /feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0 | |
Link: Figma Design Deck With Credential Phishing Language | Sublime Security | 1mo ago May 7th, 2025 | /feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924 | |
Link: Microsoft Dynamics 365 form phishing | Sublime Security | 7mo ago Nov 14th, 2024 | /feeds/core/detection-rules/link-microsoft-dynamics-365-form-phishing-f72b9085 |