Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 13th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	8mo ago Jul 16th, 2025	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: 7z Archive Containing RAR File	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Any HTML file within archive (unsolicited)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Archive analysis File analysis
Attachment: Any .sap file (unsolicited)	Sublime Security	4mo ago Oct 27th, 2025	Malware/Ransomware Evasion Scripting File analysis Header analysis Sender analysis
Attachment: Archive containing disallowed file type	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Archive containing HTML file with file scheme link	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Evasion Exploit HTML smuggling Social engineering Archive analysis File analysis HTML analysis
Attachment: Archive with embedded CHM file	Sublime Security	3y ago Aug 21st, 2023	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Archive with embedded EXE file	Sublime Security	2y ago Feb 27th, 2024	Malware/Ransomware Evasion Archive analysis File analysis YARA
Attachment: Archive with pdf, txt and wsf files	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion PDF Archive analysis File analysis
Attachment: Base64 encoded bash command in filename	@vector_sec	6mo ago Sep 5th, 2025	Malware/Ransomware Encryption Evasion Archive analysis File analysis Content analysis
Attachment: Calendar file with invisible Unicode characters	Sublime Security	2mo ago Jan 12th, 2026	BEC/Fraud Credential Phishing Malware/Ransomware Evasion File analysis Content analysis
Attachment: Calendar invite from recently registered domain	Sublime Security	5mo ago Sep 25th, 2025	Callback Phishing Evasion Social engineering File analysis Whois
Attachment: Callback phishing solicitation via image file	@vector_sec	2mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision
Attachment: Callback phishing solicitation via pdf file	Sublime Security	7mo ago Aug 5th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis
Attachment: Callback phishing solicitation via text-based file	Sublime Security	5mo ago Sep 22nd, 2025	Callback Phishing Evasion Out of band pivot Social engineering Content analysis File analysis Header analysis Sender analysis
Attachment: .csproj with suspicious commands	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting File analysis
Attachment: DocX embedded binary	Sublime Security	7mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis YARA
Attachment: DOCX with hyperlink targeting recipient address	Sublime Security	2mo ago Dec 17th, 2025	Credential Phishing Malware/Ransomware Evasion Social engineering File analysis Archive analysis XML analysis
Attachment: Double base64-encoded zip file in HTML smuggling attachment	@ajpc500	7mo ago Aug 5th, 2025	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis
Attachment: Embedded VBScript in MHT file (unsolicited)	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis HTML analysis Sender analysis
Attachment: EML containing a base64 encoded script	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis
Attachment: EML file contains HTML attachment with login portal indicators	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Javascript analysis Sender analysis
Attachment: EML file with HTML attachment (unsolicited)	Sublime Security	6mo ago Aug 20th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Content analysis File analysis Header analysis HTML analysis Sender analysis
Attachment: EML file with IPFS links	Sublime Security	4mo ago Nov 4th, 2025	Credential Phishing Evasion Free file host Free subdomain host IPFS File analysis URL analysis
Attachment: EML with embedded Javascript in SVG file	Sublime Security	7mo ago Aug 8th, 2025	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis
Attachment: EML with Encrypted ZIP	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Encryption Evasion Archive analysis File analysis YARA
Attachment: EML with link to credential phishing page	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Evasion Free file host Free subdomain host Social engineering Computer Vision Content analysis File analysis Header analysis HTML analysis Natural Language Understanding Optical Character Recognition URL analysis URL screenshot
Attachment: EML with SharePoint files shared from GoDaddy federated tenants	Sublime Security	5mo ago Sep 23rd, 2025	Credential Phishing Evasion Impersonation: Brand Social engineering File analysis URL analysis Content analysis
Attachment: EML with Sharepoint link likely unrelated to sender	Sublime Security	5mo ago Sep 23rd, 2025	BEC/Fraud Credential Phishing Impersonation: Brand Social engineering Evasion File analysis URL analysis Header analysis Sender analysis
Attachment: EML with suspicious indicators	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion HTML smuggling Social engineering Content analysis File analysis
Attachment: Emotet heavily padded doc in zip file	Sublime Security	8mo ago Jul 16th, 2025	Malware/Ransomware Evasion Archive analysis Content analysis Exif analysis File analysis Sender analysis
Attachment: Employment contract update with suspicious file naming	Sublime Security	1mo ago Jan 28th, 2026	Malware/Ransomware Evasion Social engineering Content analysis File analysis
Attachment: Encrypted PDF with credential theft body	Sublime Security	16d ago Feb 26th, 2026	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Encrypted zip file with payment-related lure	Sublime Security	3mo ago Nov 25th, 2025	BEC/Fraud Malware/Ransomware Encryption Evasion Social engineering Archive analysis Content analysis File analysis
Attachment: Excel file with suspicious template identifier	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion Macros Exif analysis File analysis
Attachment: Excel Web Query File (IQY)	@jkcoote	3y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Fake attachment image lure	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition
Attachment: Fake Slack installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: Fake Zoom installer	Sublime Security	3y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis
Attachment: File execution via Javascript	Sublime Security	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion Scripting Archive analysis File analysis Javascript analysis Sender analysis
Attachment: Filename containing Unicode braille pattern blank character	@vector_sec	7mo ago Aug 5th, 2025	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Filename containing Unicode right-to-left override character	@vector_sec	2mo ago Jan 12th, 2026	Malware/Ransomware Evasion Archive analysis File analysis
Attachment: Finance themed PDF with observed phishing template	Sublime Security	12d ago Mar 2nd, 2026	Credential Phishing PDF Evasion File analysis Content analysis
Attachment: HTML attachment with Javascript location	@vector_sec	7mo ago Aug 5th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis
Attachment: HTML file contains exclusively Javascript	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts	Sublime Security	4mo ago Nov 3rd, 2025	Malware/Ransomware Credential Phishing HTML smuggling Scripting Evasion HTML analysis File analysis Content analysis
Attachment: HTML file with excessive padding and suspicious patterns	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling File analysis HTML analysis YARA
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis
Attachment: HTML smuggling with atob and high entropy via calendar invite	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis

359 Rules

Page 1 of 8