Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 13th, 2026

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Adobe image lure in body or attachment with suspicious link	Sublime Security	2mo ago Jan 5th, 2026	Credential Phishing Image as content Impersonation: Brand Content analysis Computer Vision Optical Character Recognition Sender analysis URL analysis
Attachment: Callback phishing solicitation via image file	@vector_sec	2mo ago Jan 12th, 2026	Callback Phishing Evasion Free email provider Out of band pivot Social engineering Image as content Content analysis Optical Character Recognition Sender analysis URL analysis Computer Vision
Attachment: Fake attachment image lure	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Malware/Ransomware Evasion Image as content Social engineering File analysis Natural Language Understanding Optical Character Recognition
Attachment: Fake scan-to-email	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Attachment: Fake secure message and suspicious indicators	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Content analysis File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis
Attachment: QR code link with base64-encoded recipient address	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis
Attachment: QR code with encoded recipient targeting and redirect indicators	Sublime Security	1mo ago Jan 30th, 2026	Credential Phishing QR code Evasion Image as content Open redirect Archive analysis File analysis QR code analysis URL analysis
Attachment: QR code with userinfo portion	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis
Attachment: SVG files with evasion elements	Sublime Security	7mo ago Aug 8th, 2025	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis
Brand impersonation: Coinbase with suspicious links	Sublime Security	5mo ago Sep 22nd, 2025	Credential Phishing Evasion Free subdomain host Image as content Impersonation: Brand Computer Vision Content analysis File analysis URL analysis
Brand impersonation: DocuSign with embedded QR code	Sublime Security	4mo ago Oct 17th, 2025	Credential Phishing Evasion Image as content Impersonation: Brand QR code Computer Vision Content analysis QR code analysis Sender analysis
Brand impersonation: Fake Fax	Sublime Security	1mo ago Feb 5th, 2026	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis
Brand impersonation: Microsoft Planner with suspicious link	Sublime Security	1mo ago Feb 6th, 2026	Credential Phishing Evasion Image as content Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis URL analysis
Brand impersonation: Microsoft with low reputation links	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Brand impersonation: USPS	Sublime Security	29d ago Feb 13th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Natural Language Understanding Sender analysis
Cloud storage impersonation with credential theft indicators	Sublime Security	22h ago Mar 13th, 2026	Credential Phishing Free file host Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis
Credential phishing: Hyper-linked image leading to free file host	Sublime Security	7mo ago Aug 5th, 2025	Credential Phishing Evasion Free file host Image as content Social engineering Content analysis Header analysis Sender analysis URL analysis
Credential phishing: Image as content, short or no body contents	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Evasion Image as content Computer Vision Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition
Credential theft: Gophish abuse with hidden tracking image	Sublime Security	4mo ago Nov 5th, 2025	Spam Evasion Image as content Content analysis HTML analysis
Image as content with a link to an open redirect (unsolicited)	Sublime Security	2mo ago Jan 12th, 2026	Credential Phishing Malware/Ransomware Evasion Image as content Open redirect Social engineering Content analysis HTML analysis URL analysis
Impersonation: Recipient organization in sender display name with credential theft image	Sublime Security	25d ago Feb 17th, 2026	Credential Phishing Image as content Impersonation: Brand Social engineering Computer Vision Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis
Inline image as message with attachment or link	Sublime Security	8mo ago Jul 16th, 2025	Credential Phishing Evasion Image as content Content analysis HTML analysis URL analysis
Invoicera infrastructure abuse	Sublime Security	2y ago Mar 7th, 2024	Credential Phishing Spam Free file host Free subdomain host Image as content Social engineering Content analysis Header analysis Sender analysis
PHP Mailer with common phishing attachments	@vector_sec	3y ago Aug 21st, 2023	Credential Phishing Image as content Header analysis
Spam: BlackBaud infrastructure abuse	Sublime Security	2y ago Jan 17th, 2024	Spam Evasion Impersonation: Brand Image as content Social engineering Content analysis Header analysis
Spam: Item giveaway spam template	Sublime Security	7mo ago Aug 5th, 2025	Spam Image as content Content analysis HTML analysis Sender analysis Exif analysis
Spam: Mastercard promotional content with image-based body	Sublime Security	4mo ago Nov 5th, 2025	Credential Phishing Spam Image as content Impersonation: Brand Social engineering Computer Vision Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis

28 Rules