Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jul 17th, 2025
Feed Source
Tactic or Technique is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: HTML smuggling with ROT13 | @Kyle_Parrish_ | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Attachment: HTML smuggling with setTimeout | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 | |
Attachment: HTML smuggling with unescape | Sublime Security | 2y ago Sep 22nd, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-unescape-0b0fed36 | |
Attachment: HTML With Emoji-to-Character Map | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086 | |
Attachment: HTML with Hidden Body | Sublime Security | 1y ago Jun 24th, 2024 | /feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781 | |
Attachment: HTML with JavaScript Functions for HTTP requests | Sublime Security | 1y ago Jul 3rd, 2024 | /feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd | |
Attachment: ICS with embedded document | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-ics-with-embedded-document-8f9957d9 | |
Attachment: JavaScript file with suspicious base64-encoded executable | Sublime Security | 1y ago Apr 1st, 2024 | /feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3 | |
Attachment: Legal Themed Message with PDF Containing Suspicious Link | Sublime Security | 1mo ago Jun 6th, 2025 | /feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301 | |
Attachment: Link file with UNC path | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-link-file-with-unc-path-3b7ee0fb | |
Attachment: Link to Doubleclick.net Open Redirect | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Macro Files Containing MHT Content | Sublime Security | 1mo ago Jun 12th, 2025 | /feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b | |
Attachment: Malformed OLE file | Sublime Security | 7mo ago Nov 25th, 2024 | /feeds/core/detection-rules/attachment-malformed-ole-file-5aadc68f | |
Attachment: MSI Installer file | @ajpc500 | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-msi-installer-file-ae17b1a9 | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: Office file with suspicious function calls or downloaded file path | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969 | |
Attachment: OLE external relationship containing file scheme link to executable filetype | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4 | |
Attachment: OLE external relationship containing file scheme link to IP address | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-ip-address-3aab998c | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF with link to DMG file download | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1y ago May 22nd, 2024 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: Potential Sandbox Evasion in Office File | @ajpc500 | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681 | |
Attachment: PowerPoint with suspicious hyperlink | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1 | |
Attachment: QR Code Link With Base64-Encoded Recipient Address | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR Code With Userinfo Portion | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c | |
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7 | |
Attachment: RTF file with suspicious link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa | |
Attachment: RTF with embedded content | @amitchell516 | 1y ago Feb 26th, 2024 | /feeds/core/detection-rules/attachment-rtf-with-embedded-content-61dd2dd7 | |
Attachment: SFX archive containing commands | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-sfx-archive-containing-commands-343e6c8c | |
Attachment: Small text file with link containing recipient email address | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d | |
Attachment: Suspicious Employee Policy Update Document Lure | Sublime Security | 3mo ago Mar 31st, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment: Suspicious PDF Created With Headless Browser | Sublime Security | 20d ago Jun 30th, 2025 | /feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7 | |
Attachment: SVG Files With Evasion Elements | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60 | |
Attachment: Web Files With Suspicious Comments | Sublime Security | 2mo ago Apr 28th, 2025 | /feeds/core/detection-rules/attachment-web-files-with-suspicious-comments-93061d17 | |
Attachment with encrypted zip (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-with-encrypted-zip-unsolicited-697c87ae | |
Attachment with macro calling executable | Sublime Security | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-with-macro-calling-executable-5ee6a197 | |
Attachment with unscannable encrypted zip (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-with-unscannable-encrypted-zip-unsolicited-529d4a9a | |
BEC with unusual Reply-to or Return-path mismatch | Sublime Security | 10mo ago Aug 27th, 2024 | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Benefits Enrollment Impersonation | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8 | |
Brand Impersonation: Coinbase with suspicious links | Sublime Security | 2y ago Nov 18th, 2023 | /feeds/core/detection-rules/brand-impersonation-coinbase-with-suspicious-links-b61e2f8e | |
Brand Impersonation: DocuSign with embedded QR code | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-with-embedded-qr-code-f5cde463 | |
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-logo-in-html-with-fake-quarantine-release-notification-f12c615c | |
Brand Impersonation: Microsoft Planner With Suspicious Link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-planner-with-suspicious-link-ea363c08 | |
Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name | Sublime Security | 4mo ago Mar 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4 | |
Brand Impersonation: ShareFile | Sublime Security | 5mo ago Jan 29th, 2025 | /feeds/core/detection-rules/brand-impersonation-sharefile-f8330307 | |
Brand Impersonation: Stripe Notification | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-stripe-notification-3ffd2b03 | |
Brand Impersonation: Zoom | Sublime Security | 26d ago Jun 24th, 2025 | /feeds/core/detection-rules/brand-impersonation-zoom-5abad540 | |
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/business-email-compromise-bec-attempt-with-masked-recipients-and-reply-to-mismatch-unsolicited-682191bf |