Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jul 17th, 2025
Feed Source
Detection Method is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
ClickFunnels link infrastructure abuse | Sublime Security | 2mo ago May 16th, 2025 | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Commonly abused sender TLD with engaging language | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/commonly-abused-sender-tld-with-engaging-language-447386dc | |
Credential phishing content and link (untrusted sender) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-content-and-link-untrusted-sender-f0c95bb7 | |
Credential phishing: Engaging language and other indicators (untrusted sender) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
Credential phishing: Engaging language with IPFS link | Sublime Security | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/credential-phishing-engaging-language-with-ipfs-link-996c4d83 | |
Credential Phishing: Hyper-linked image leading to free file host | Sublime Security | 1y ago May 2nd, 2024 | /feeds/core/detection-rules/credential-phishing-hyper-linked-image-leading-to-free-file-host-f5cb1eca | |
Credential phishing language and suspicious indicators (unknown sender) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-language-and-suspicious-indicators-unknown-sender-89c186f7 | |
Credential phishing link (unknown sender) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-link-unknown-sender-a278012b | |
Credential phishing: Onedrive impersonation | Sublime Security | 1mo ago Jun 4th, 2025 | /feeds/core/detection-rules/credential-phishing-onedrive-impersonation-1f990c92 | |
Credential Phishing: Suspicious E-sign Agreement Document Notification | Sublime Security | 9d ago Jul 11th, 2025 | /feeds/core/detection-rules/credential-phishing-suspicious-e-sign-agreement-document-notification-9b68c2d8 | |
Credential Phishing: Suspicious language, link, recipients and other indicators | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/credential-phishing-suspicious-language-link-recipients-and-other-indicators-dcb39190 | |
Deceptive Dropbox Mention | Sublime Security | 24d ago Jun 26th, 2025 | /feeds/core/detection-rules/deceptive-dropbox-mention-58a107bc | |
DocuSign Impersonation via CloudHQ Links | Sublime Security | 3mo ago Apr 4th, 2025 | /feeds/core/detection-rules/docusign-impersonation-via-cloudhq-links-44ba2fee | |
Fake message thread with a suspicious link and engaging language from an unknown sender | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/fake-message-thread-with-a-suspicious-link-and-engaging-language-from-an-unknown-sender-8fd0e211 | |
Fake scan-to-email message | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/fake-scan-to-email-message-78851fbe | |
Fake voicemail notification (untrusted sender) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/fake-voicemail-notification-untrusted-sender-74ba7787 | |
Fake Zoho Sign template abuse | Sublime Security | 9mo ago Sep 30th, 2024 | /feeds/core/detection-rules/fake-zoho-sign-template-abuse-785fd0d5 | |
File sharing link from suspicious sender domain | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/file-sharing-link-from-suspicious-sender-domain-95f20354 | |
File sharing link with a suspicious subject | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/file-sharing-link-with-a-suspicious-subject-a306e2a6 | |
Free subdomain link with credential theft indicators | Sublime Security | 7mo ago Dec 12th, 2024 | /feeds/core/detection-rules/free-subdomain-link-with-credential-theft-indicators-9187479c | |
Google Accelerated Mobile Pages (AMP) abuse | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/google-accelerated-mobile-pages-amp-abuse-46907029 | |
Google Drive abuse: Credential phishing link | Sublime Security | 11mo ago Jul 31st, 2024 | /feeds/core/detection-rules/google-drive-abuse-credential-phishing-link-c74aece0 | |
Google Drive direct download link from unsolicited sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/google-drive-direct-download-link-from-unsolicited-sender-78a19343 | |
Google Notification alert link from non-Google sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/google-notification-alert-link-from-non-google-sender-a1c1acfd | |
Google Presentation Open Redirect Phishing | Sublime Security | 2mo ago Apr 24th, 2025 | /feeds/core/detection-rules/google-presentation-open-redirect-phishing-5d01ee3a | |
Google Services Using G.co Shortlinks | Sublime Security | 5mo ago Jan 29th, 2025 | /feeds/core/detection-rules/google-services-using-gco-shortlinks-09ff8a73 | |
Image as content with a link to an open redirect (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/image-as-content-with-a-link-to-an-open-redirect-unsolicited-f5cec36b | |
Impersonation: Chrome Web Store Policy | Sublime Security | 4mo ago Mar 18th, 2025 | /feeds/core/detection-rules/impersonation-chrome-web-store-policy-4a98f283 | |
Impersonation: Suspected supplier impersonation with suspicious content | Sublime Security | 5mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce | |
Inline image as message with attachment or link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/inline-image-as-message-with-attachment-or-link-823d7107 | |
Issuu Document With Suspicious Embedded Link | Sublime Security | 2mo ago May 5th, 2025 | /feeds/core/detection-rules/issuu-document-with-suspicious-embedded-link-0d73f43d | |
Link: Abused Adobe Express | Sublime Security | 7mo ago Dec 16th, 2024 | /feeds/core/detection-rules/link-abused-adobe-express-c7d17bfd | |
Link: Adobe Share with Suspicious Indicators | Sublime Security | 7mo ago Dec 3rd, 2024 | /feeds/core/detection-rules/link-adobe-share-with-suspicious-indicators-b33cae80 | |
Link: chatbot.page Platform Abuse | Sublime Security | 26d ago Jun 24th, 2025 | /feeds/core/detection-rules/link-chatbotpage-platform-abuse-bfd6a076 | |
Link: Common Hidden Directory Observed | Sublime Security | 6mo ago Jan 15th, 2025 | /feeds/core/detection-rules/link-common-hidden-directory-observed-9f316da6 | |
Link: Credential Phishing traversing Russian infrastructure | Sublime Security | 1y ago Jul 19th, 2024 | /feeds/core/detection-rules/link-credential-phishing-traversing-russian-infrastructure-a5203e3b | |
Link: Credential Phishing via WordPress | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/link-credential-phishing-via-wordpress-db696058 | |
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability | Sublime Security | 1y ago Feb 15th, 2024 | /feeds/core/detection-rules/link-cve-2024-21413-microsoft-outlook-remote-code-execution-vulnerability-e8151426 | |
Link: Direct Link to gamma.app Presentation in Present Mode | Sublime Security | 2mo ago Apr 30th, 2025 | /feeds/core/detection-rules/link-direct-link-to-gammaapp-presentation-in-present-mode-080ab581 | |
Link: Direct Link to keap.app contact-us page | Sublime Security | 1mo ago May 23rd, 2025 | /feeds/core/detection-rules/link-direct-link-to-keapapp-contact-us-page-a7a69267 | |
Link: Direct link to Zoom Docs from Non-Zoom Sender | Sublime Security | 1mo ago May 22nd, 2025 | /feeds/core/detection-rules/link-direct-link-to-zoom-docs-from-non-zoom-sender-5c6362db | |
Link: Direct POWR.io Form Builder with Suspicious Patterns | Sublime Security | 2mo ago May 5th, 2025 | /feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93 | |
Link: Display Text Matches Subject Line | Sublime Security | 2mo ago May 9th, 2025 | /feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0 | |
Link: Figma Design Deck With Credential Phishing Language | Sublime Security | 2mo ago May 7th, 2025 | /feeds/core/detection-rules/link-figma-design-deck-with-credential-phishing-language-87601924 | |
Link: Flagged bit.ly link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/link-flagged-bitly-link-1528eb6c | |
Link: Free Subdomain host with undisclosed recipients | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/link-free-subdomain-host-with-undisclosed-recipients-c23d979d | |
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/link-google-calendar-invite-linking-to-an-open-redirect-from-an-untrusted-freemail-sender-bb4f1ea9 | |
Link: Google Firebase Dynamic Link that Redirects to New Domain (<7 days old) | @ajpc500 | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/link-google-firebase-dynamic-link-that-redirects-to-new-domain-less7-days-old-5a204a37 | |
Link: Google Translate (unsolicited) | @ajpc500 | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/link-google-translate-unsolicited-6949e115 | |
Link: /index.php Enclosed in Three Asterisks | Sublime Security | 1mo ago Jun 10th, 2025 | /feeds/core/detection-rules/link-indexphp-enclosed-in-three-asterisks-aa4bbafc |