Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jun 18th, 2025
Feed Source
Tactic or Technique is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Attachment: Calendar invite with suspicious link leading to an open redirect | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-calendar-invite-with-suspicious-link-leading-to-an-open-redirect-5d6294c7 | |
Attachment: Callback Phishing solicitation via image file | @vector_sec | 3mo ago Mar 12th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 15h ago Jun 18th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: PDF file with Link to Fake Bitcoin Exchange | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
BEC/Fraud - Job Scam Fake thread or plaintext pivot to freemail | Sublime Security | 1y ago Jan 8th, 2024 | /feeds/core/detection-rules/becfraud-job-scam-fake-thread-or-plaintext-pivot-to-freemail-ce21c151 | |
BEC/Fraud: Romance Scam | Sublime Security | 2y ago Nov 23rd, 2023 | /feeds/core/detection-rules/becfraud-romance-scam-0243cdaa | |
BEC/Fraud: Scam Lure with freemail pivot | Sublime Security | 1y ago Jun 3rd, 2024 | /feeds/core/detection-rules/becfraud-scam-lure-with-freemail-pivot-898c769f | |
BEC/Fraud - Student loan callback phishing | Sublime Security | 8mo ago Oct 4th, 2024 | /feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3 | |
BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns | Sublime Security | 3mo ago Mar 10th, 2025 | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
BEC with unusual Reply-to or Return-path mismatch | Sublime Security | 9mo ago Aug 27th, 2024 | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Brand impersonation: Hulu | Sublime Security | 4mo ago Feb 4th, 2025 | /feeds/core/detection-rules/brand-impersonation-hulu-6833de58 | |
Brand impersonation: KnowBe4 | Sublime Security | 6mo ago Nov 25th, 2024 | /feeds/core/detection-rules/brand-impersonation-knowbe4-7c798386 | |
Brand impersonation: Norton | Sublime Security | 8mo ago Oct 8th, 2024 | /feeds/core/detection-rules/brand-impersonation-norton-32bd9efd | |
Brand Impersonation: SiriusXM | Sublime Security | 5mo ago Jan 9th, 2025 | /feeds/core/detection-rules/brand-impersonation-siriusxm-70eb3792 | |
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited) | Sublime Security | 1y ago Feb 23rd, 2024 | /feeds/core/detection-rules/business-email-compromise-bec-attempt-with-masked-recipients-and-reply-to-mismatch-unsolicited-682191bf | |
Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment | Sublime Security | 16d ago Jun 3rd, 2025 | /feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed | |
Callback Phishing: Social Security Administration Fraud | Sublime Security | 3mo ago Feb 24th, 2025 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Callback Phishing solicitation in message body | Sublime Security | 3d ago Jun 16th, 2025 | /feeds/core/detection-rules/callback-phishing-solicitation-in-message-body-10a3a446 | |
Callback phishing via Google Group abuse | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/callback-phishing-via-google-group-abuse-199d873b | |
Callback phishing via Intuit service abuse | Sublime Security | 29d ago May 21st, 2025 | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Callback phishing via Zoho service abuse | Sublime Security | 5mo ago Jan 10th, 2025 | /feeds/core/detection-rules/callback-phishing-via-zoho-service-abuse-61e351ec | |
Canva Infrastructure Abuse | Sublime Security | 2mo ago Apr 1st, 2025 | /feeds/core/detection-rules/canva-infrastructure-abuse-b69fdb5c | |
ClickFunnels link infrastructure abuse | Sublime Security | 1mo ago May 16th, 2025 | /feeds/core/detection-rules/clickfunnels-link-infrastructure-abuse-9192fbe9 | |
Constant Contact link infrastructure abuse | Sublime Security | 5mo ago Jan 11th, 2025 | /feeds/core/detection-rules/constant-contact-link-infrastructure-abuse-8c5e8e4c | |
COVID-19 themed fraud with sender and reply-to mismatch or compensation award | Sublime Security | 3mo ago Mar 4th, 2025 | /feeds/core/detection-rules/covid-19-themed-fraud-with-sender-and-reply-to-mismatch-or-compensation-award-a16480ef | |
Credential phishing: Engaging language and other indicators (untrusted sender) | Sublime Security | 15h ago Jun 18th, 2025 | /feeds/core/detection-rules/credential-phishing-engaging-language-and-other-indicators-untrusted-sender-c2bc8ca2 | |
Credential phishing language and suspicious indicators (unknown sender) | Sublime Security | 3mo ago Feb 24th, 2025 | /feeds/core/detection-rules/credential-phishing-language-and-suspicious-indicators-unknown-sender-89c186f7 | |
Domain Impersonation: Freemail ReplyTo_Local Lookalike with Financial Request | Sublime Security | 1y ago May 3rd, 2024 | /feeds/core/detection-rules/domain-impersonation-freemail-replytolocal-lookalike-with-financial-request-43026a40 | |
Employee Impersonation: Payroll Fraud | Sublime Security | 6mo ago Dec 16th, 2024 | /feeds/core/detection-rules/employee-impersonation-payroll-fraud-2beb7d85 | |
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender | Sublime Security | 4mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213 | |
Fake Message Thread - Untrusted Sender with a Mismatched Freemail Reply-To Address | Sublime Security | 5mo ago Jan 9th, 2025 | /feeds/core/detection-rules/fake-message-thread-untrusted-sender-with-a-mismatched-freemail-reply-to-address-ca64e819 | |
Free Email Provider Sender with Mismatched Provider Reply-To | Sublime Security | 27d ago May 23rd, 2025 | /feeds/core/detection-rules/free-email-provider-sender-with-mismatched-provider-reply-to-fcd831d0 | |
Google Services Using G.co Shortlinks | Sublime Security | 4mo ago Jan 29th, 2025 | /feeds/core/detection-rules/google-services-using-gco-shortlinks-09ff8a73 | |
Honorific greeting BEC attempt with sender and reply-to mismatch | Sublime Security | 9mo ago Aug 27th, 2024 | /feeds/core/detection-rules/honorific-greeting-bec-attempt-with-sender-and-reply-to-mismatch-aa41b1b7 | |
Impersonation: Chrome Web Store Policy | Sublime Security | 3mo ago Mar 18th, 2025 | /feeds/core/detection-rules/impersonation-chrome-web-store-policy-4a98f283 | |
Impersonation: Suspected supplier impersonation with suspicious content | Sublime Security | 4mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/impersonation-suspected-supplier-impersonation-with-suspicious-content-63d8b1ce | |
Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender | Sublime Security | 8mo ago Oct 10th, 2024 | /feeds/core/detection-rules/link-google-calendar-invite-linking-to-an-open-redirect-from-an-untrusted-freemail-sender-bb4f1ea9 | |
Link: Invoice or receipt from freemail sender with customer service number | @vector_sec | 2y ago Oct 4th, 2023 | /feeds/core/detection-rules/link-invoice-or-receipt-from-freemail-sender-with-customer-service-number-3825232d | |
Link: Multistage Landing - Abused Google Drive | Sublime Security | 1mo ago May 5th, 2025 | /feeds/core/detection-rules/link-multistage-landing-abused-google-drive-c86288b4 | |
Mass campaign: Cross Site Scripting (XSS) attempt | Sublime Security | 1y ago Mar 27th, 2024 | /feeds/core/detection-rules/mass-campaign-cross-site-scripting-xss-attempt-6cbb7124 | |
Message Traversed Multiple onmicrosoft.com Tenants | Sublime Security | 6mo ago Dec 18th, 2024 | /feeds/core/detection-rules/message-traversed-multiple-onmicrosoftcom-tenants-9cf01c0d | |
PenPal Scam | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/penpal-scam-a4bdfa17 | |
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern | Sublime Security | 1mo ago May 14th, 2025 | /feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329 | |
Scam: Piano Giveaway | Sublime Security | 8d ago Jun 11th, 2025 | /feeds/core/detection-rules/scam-piano-giveaway-1a91a203 | |
Service Abuse: Google Drive Share From an Unsolicited Reply-To Address | Sublime Security | 2mo ago Apr 11th, 2025 | /feeds/core/detection-rules/service-abuse-google-drive-share-from-an-unsolicited-reply-to-address-4581ec0c | |
Service Abuse: Google Drive Share From New Reply-To Domain | Sublime Security | 5mo ago Jan 9th, 2025 | /feeds/core/detection-rules/service-abuse-google-drive-share-from-new-reply-to-domain-c1a2d367 | |
Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com) | Sublime Security | 5mo ago Jan 10th, 2025 | /feeds/core/detection-rules/spam-default-microsoft-exchange-online-sender-domain-onmicrosoftcom-3f2a64ce | |
Spam: New link domain (<=10d) and emojis | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/spam-new-link-domain-less10d-and-emojis-33677993 | |
Spam: Sexually Explicit Google Drive Share | Sublime Security | 21d ago May 29th, 2025 | /feeds/core/detection-rules/spam-sexually-explicit-google-drive-share-3f951c06 | |
Spam: Sexually Explicit Google Group Invitation | Sublime Security | 21d ago May 29th, 2025 | /feeds/core/detection-rules/spam-sexually-explicit-google-group-invitation-4e0bec29 |