Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jun 18th, 2025

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	1y ago Feb 23rd, 2024	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Attachment: Any HTML file within archive (unsolicited)	Sublime Security	2y ago Nov 14th, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis	/feeds/core/detection-rules/attachment-any-html-file-within-archive-unsolicited-6a67c02c
Attachment: Archive containing disallowed file type	Sublime Security	9mo ago Sep 18th, 2024	Malware/Ransomware Evasion Archive analysis File analysis	/feeds/core/detection-rules/attachment-archive-containing-disallowed-file-type-3859e3e7
Attachment: Archive containing HTML file with file scheme link	Sublime Security	1y ago Mar 7th, 2024	Credential Phishing Evasion Exploit HTML smuggling Social engineering Archive analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-archive-containing-html-file-with-file-scheme-link-edf6d0d9
Attachment: Archive with embedded CHM file	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion Archive analysis File analysis	/feeds/core/detection-rules/attachment-archive-with-embedded-chm-file-5280e94d
Attachment: Archive with embedded EXE file	Sublime Security	1y ago Feb 27th, 2024	Malware/Ransomware Evasion Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86
Attachment: Archive with pdf, txt and wsf files	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion PDF Archive analysis File analysis	/feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239
Attachment: Callback Phishing solicitation via image file	@vector_sec	3mo ago Mar 12th, 2025	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36
Attachment: Callback Phishing solicitation via pdf file	Sublime Security	16h ago Jun 18th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Callback Phishing solicitation via text-based file with a large unknown recipient list	Sublime Security	10mo ago Jul 26th, 2024	Callback Phishing Evasion Out of band pivot Social engineering Content analysis File analysis Header analysis Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-with-a-large-unknown-recipient-list-ca39c83a
Attachment: .csproj with suspicious commands	Sublime Security	2y ago Aug 17th, 2023	Malware/Ransomware Evasion Scripting File analysis	/feeds/core/detection-rules/attachment-csproj-with-suspicious-commands-fe45b81d
Attachment: DocX embedded Binary	Sublime Security	1y ago Mar 26th, 2024	Malware/Ransomware Evasion Archive analysis Content analysis YARA	/feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment	@ajpc500	2y ago Oct 4th, 2023	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b
Attachment: Embedded VBScript in MHT file (unsolicited)	Sublime Security	2y ago Oct 4th, 2023	Malware/Ransomware Evasion Scripting Archive analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-embedded-vbscript-in-mht-file-unsolicited-b30353a6
Attachment: EML containing a base64 encoded script	Sublime Security	1y ago Jan 30th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	2y ago Oct 19th, 2023	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	2mo ago Mar 28th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191
Attachment: EML file with IPFS links	Sublime Security	1y ago Apr 25th, 2024	Credential Phishing Evasion Free file host Free subdomain host IPFS File analysis URL analysis	/feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7
Attachment: EML with Embedded Javascript in SVG File	Sublime Security	2mo ago Apr 17th, 2025	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-embedded-javascript-in-svg-file-dfafb78f
Attachment: EML with link to credential phishing page	Sublime Security	9mo ago Sep 13th, 2024	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot	/feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca
Attachment: EML with Suspicious Indicators	Sublime Security	17d ago Jun 2nd, 2025	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis	/feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d
Attachment: Emotet heavily padded doc in zip file	Sublime Security	2y ago Oct 4th, 2023	Malware/Ransomware Evasion Archive analysis Content analysis Exif analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-emotet-heavily-padded-doc-in-zip-file-9a5332ed
Attachment: Encrypted PDF With Credential Theft Body	Sublime Security	8mo ago Oct 10th, 2024	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Excel Web Query File (IQY)	@jkcoote	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Archive analysis File analysis	/feeds/core/detection-rules/attachment-excel-web-query-file-iqy-510412b5
Attachment: Fake attachment image lure	Sublime Security	20d ago May 30th, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition	/feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285
Attachment: Fake Slack installer	Sublime Security	2y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f
Attachment: Fake Zoom installer	Sublime Security	2y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6
Attachment: File execution via Javascript	Sublime Security	2y ago Dec 19th, 2023	Malware/Ransomware Evasion Scripting Archive analysis File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-file-execution-via-javascript-627ae0b1
Attachment: Filename Containing Unicode Braille Pattern Blank Character	@vector_sec	3mo ago Feb 20th, 2025	Malware/Ransomware Evasion Archive analysis File analysis	/feeds/core/detection-rules/attachment-filename-containing-unicode-braille-pattern-blank-character-c230ca86
Attachment: Filename Containing Unicode Right-to-Left Override Character	@vector_sec	2y ago Aug 21st, 2023	Malware/Ransomware Evasion Archive analysis File analysis	/feeds/core/detection-rules/attachment-filename-containing-unicode-right-to-left-override-character-357c57a1
Attachment: HTML Attachment with Javascript location	@vector_sec	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis	/feeds/core/detection-rules/attachment-html-attachment-with-javascript-location-e0611295
Attachment: HTML file contains exclusively Javascript	Sublime Security	1y ago Feb 1st, 2024	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-html-file-contains-exclusively-javascript-b6d38168
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts	Sublime Security	4mo ago Feb 3rd, 2025	Malware/Ransomware Credential Phishing HTML smuggling Scripting Evasion HTML analysis File analysis Content analysis	/feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a
Attachment: HTML file with excessive padding and suspicious patterns	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling File analysis HTML analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	2y ago Sep 22nd, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	2y ago Sep 25th, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d
Attachment: HTML smuggling with atob and high entropy via calendar invite	Sublime Security	16d ago Jun 3rd, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: HTML smuggling with concatenation obfuscation	@vector_sec	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-concatenation-obfuscation-108ab346
Attachment: HTML smuggling with decimal encoding	Sublime Security	1y ago Apr 23rd, 2024	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4
Attachment: HTML smuggling with embedded base64-encoded executable	Sublime Security	1y ago Mar 25th, 2024	Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis HTML analysis YARA	/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527
Attachment: HTML smuggling with embedded base64-encoded ISO	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling ISO Archive analysis Content analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-iso-294ecd2d
Attachment: HTML smuggling with eval and atob	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2
Attachment: HTML smuggling with eval and atob via calendar invite	Sublime Security	16d ago Jun 3rd, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	2y ago Sep 8th, 2023	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns	Sublime Security	9mo ago Aug 27th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d
Attachment: HTML smuggling with fromCharCode and other signals	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-fromcharcode-and-other-signals-a68ce0ef
Attachment: HTML smuggling with hex strings	@ajpc500	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-hex-strings-b4208ed6
Attachment: HTML smuggling with high entropy and other signals	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288
Attachment: HTML smuggling with raw array buffer	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Free subdomain host HTML smuggling Archive analysis Content analysis File analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-raw-array-buffer-a0d5c3dc
Attachment: HTML smuggling with RC4 decryption	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765