Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Mar 21st, 2025
Feed Source
Tactic or Technique is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 1y ago Feb 23rd, 2024 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Attachment: Any HTML file within archive (unsolicited) | Sublime Security | 2y ago Nov 14th, 2023 | /feeds/core/detection-rules/attachment-any-html-file-within-archive-unsolicited-6a67c02c | |
Attachment: Archive containing disallowed file type | Sublime Security | 6mo ago Sep 18th, 2024 | /feeds/core/detection-rules/attachment-archive-containing-disallowed-file-type-3859e3e7 | |
Attachment: Archive containing HTML file with file scheme link | Sublime Security | 1y ago Mar 7th, 2024 | /feeds/core/detection-rules/attachment-archive-containing-html-file-with-file-scheme-link-edf6d0d9 | |
Attachment: Archive with embedded CHM file | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-archive-with-embedded-chm-file-5280e94d | |
Attachment: Archive with embedded EXE file | Sublime Security | 1y ago Feb 27th, 2024 | /feeds/core/detection-rules/attachment-archive-with-embedded-exe-file-e2b0ad86 | |
Attachment: Archive with pdf, txt and wsf files | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239 | |
Attachment: Callback Phishing solicitation via image file | @vector_sec | 11d ago Mar 12th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 25d ago Feb 26th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Callback Phishing solicitation via text-based file with a large unknown recipient list | Sublime Security | 7mo ago Jul 26th, 2024 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-with-a-large-unknown-recipient-list-ca39c83a | |
Attachment: .csproj with suspicious commands | Sublime Security | 2y ago Aug 17th, 2023 | /feeds/core/detection-rules/attachment-csproj-with-suspicious-commands-fe45b81d | |
Attachment: DocX embedded Binary | Sublime Security | 12mo ago Mar 26th, 2024 | /feeds/core/detection-rules/attachment-docx-embedded-binary-feff0241 | |
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment | @ajpc500 | 2y ago Oct 4th, 2023 | /feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b | |
Attachment: Embedded VBScript in MHT file (unsolicited) | Sublime Security | 2y ago Oct 4th, 2023 | /feeds/core/detection-rules/attachment-embedded-vbscript-in-mht-file-unsolicited-b30353a6 | |
Attachment: EML containing a base64 encoded script | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445 | |
Attachment: EML file contains HTML attachment with login portal indicators | Sublime Security | 2y ago Oct 19th, 2023 | /feeds/core/detection-rules/attachment-eml-file-contains-html-attachment-with-login-portal-indicators-6e4df158 | |
Attachment: EML file with HTML attachment (unsolicited) | Sublime Security | 2mo ago Jan 14th, 2025 | /feeds/core/detection-rules/attachment-eml-file-with-html-attachment-unsolicited-c24fd191 | |
Attachment: EML file with IPFS links | Sublime Security | 11mo ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-eml-file-with-ipfs-links-1fe9d7e7 | |
Attachment: EML with Embedded Javascript in SVG File (unsolicited) | Sublime Security | 19d ago Mar 4th, 2025 | /feeds/core/detection-rules/attachment-eml-with-embedded-javascript-in-svg-file-unsolicited-dfafb78f | |
Attachment: EML with link to credential phishing page | Sublime Security | 6mo ago Sep 13th, 2024 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: EML with Suspicious Indicators | Sublime Security | 4mo ago Nov 19th, 2024 | /feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d | |
Attachment: Emotet heavily padded doc in zip file | Sublime Security | 2y ago Oct 4th, 2023 | /feeds/core/detection-rules/attachment-emotet-heavily-padded-doc-in-zip-file-9a5332ed | |
Attachment: Encrypted PDF With Credential Theft Body | Sublime Security | 5mo ago Oct 10th, 2024 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Excel Web Query File (IQY) | @jkcoote | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-excel-web-query-file-iqy-510412b5 | |
Attachment: Fake attachment image lure | Sublime Security | 8mo ago Jul 19th, 2024 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake Slack installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake Zoom installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: File execution via Javascript | Sublime Security | 2y ago Dec 19th, 2023 | /feeds/core/detection-rules/attachment-file-execution-via-javascript-627ae0b1 | |
Attachment: Filename Containing Unicode Braille Pattern Blank Character | @vector_sec | 1mo ago Feb 20th, 2025 | /feeds/core/detection-rules/attachment-filename-containing-unicode-braille-pattern-blank-character-c230ca86 | |
Attachment: Filename Containing Unicode Right-to-Left Override Character | @vector_sec | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-filename-containing-unicode-right-to-left-override-character-357c57a1 | |
Attachment: HTML Attachment with Javascript location | @vector_sec | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-attachment-with-javascript-location-e0611295 | |
Attachment: HTML file contains exclusively Javascript | Sublime Security | 1y ago Feb 1st, 2024 | /feeds/core/detection-rules/attachment-html-file-contains-exclusively-javascript-b6d38168 | |
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts | Sublime Security | 1mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a | |
Attachment: HTML file with excessive padding and suspicious patterns | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-file-with-excessive-padding-and-suspicious-patterns-0a6aee1e | |
Attachment: HTML smuggling 'body onload' linking to suspicious destination | Sublime Security | 2y ago Sep 22nd, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed | |
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text | Sublime Security | 2y ago Sep 25th, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d | |
Attachment: HTML smuggling with concatenation obfuscation | @vector_sec | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-concatenation-obfuscation-108ab346 | |
Attachment: HTML smuggling with decimal encoding | Sublime Security | 11mo ago Apr 23rd, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4 | |
Attachment: HTML smuggling with embedded base64-encoded executable | Sublime Security | 12mo ago Mar 25th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-executable-b00c4527 | |
Attachment: HTML smuggling with embedded base64-encoded ISO | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-encoded-iso-294ecd2d | |
Attachment: HTML smuggling with eval and atob | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2 | |
Attachment: HTML smuggling with excessive line break obfuscation | Sublime Security | 2y ago Sep 8th, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440 | |
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns | Sublime Security | 6mo ago Aug 27th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d | |
Attachment: HTML smuggling with fromCharCode and other signals | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-fromcharcode-and-other-signals-a68ce0ef | |
Attachment: HTML smuggling with hex strings | @ajpc500 | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-hex-strings-b4208ed6 | |
Attachment: HTML smuggling with high entropy and other signals | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288 | |
Attachment: HTML smuggling with raw array buffer | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-raw-array-buffer-a0d5c3dc | |
Attachment: HTML smuggling with RC4 decryption | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765 | |
Attachment: HTML smuggling with ROT13 | @Kyle_Parrish_ | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf | |
Attachment: HTML smuggling with setTimeout | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32 |