Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated Jul 17th, 2025
Feed Source
Tactic or Technique is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Adobe branded PDF file linking to a password-protected file from untrusted sender | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469 | |
Attachment: Archive with pdf, txt and wsf files | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Decoy PDF Author (Julie P.) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a | |
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282 | |
Attachment: Encrypted PDF With Credential Theft Body | Sublime Security | 6d ago Jul 14th, 2025 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Fake scan-to-email | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake Voicemail via PDF | Sublime Security | 2mo ago Apr 30th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Legal Themed Message with PDF Containing Suspicious Link | Sublime Security | 1mo ago Jun 6th, 2025 | /feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: PDF file with Link to Fake Bitcoin Exchange | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880 | |
Attachment: PDF file with low reputation link to ZIP file (unsolicited) | Michael Tingle | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: PDF with link to DMG file download | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0 | |
Attachment: PDF with link to zip containing a wsf file | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4 | |
Attachment: PDF with suspicious language and redirect to suspicious file type | Sublime Security | 1y ago May 22nd, 2024 | /feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f | |
Attachment: QR Code Link With Base64-Encoded Recipient Address | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR Code With Userinfo Portion | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: Soda PDF Producer with Encryption Themes | Sublime Security | 1mo ago Jun 19th, 2025 | /feeds/core/detection-rules/attachment-soda-pdf-producer-with-encryption-themes-af8eeca4 | |
Attachment: Suspicious Employee Policy Update Document Lure | Sublime Security | 3mo ago Mar 31st, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment: Suspicious PDF Created With Headless Browser | Sublime Security | 20d ago Jun 30th, 2025 | /feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7 | |
Attachment: USDA Bid Invitation Impersonation | Sublime Security | 1mo ago May 23rd, 2025 | /feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493 | |
Brand impersonation: Adobe (QR code) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d | |
Brand Impersonation: DocuSign pdf attachment with suspicious link | Sublime Security | 5mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7 | |
Brand impersonation: DocuSign (QR code) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-docusign-qr-code-0b16c28a | |
Brand Impersonation: Google (QR Code) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-google-qr-code-7ffd184c | |
Brand impersonation: Microsoft (QR code) | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a | |
Callback Phishing: Social Security Administration Fraud | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52 | |
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender | Sublime Security | 5mo ago Feb 3rd, 2025 | /feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213 | |
Link: Uncommon SharePoint Document Type With Sender's Display Name | Sublime Security | 5d ago Jul 15th, 2025 | /feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2 | |
PDF attachment with Google (AE) redirecting to a php or zip file | Sublime Security | 2y ago Sep 26th, 2023 | /feeds/core/detection-rules/pdf-attachment-with-google-ae-redirecting-to-a-php-or-zip-file-57ae513f | |
Sharepoint Link Likely Unrelated to Sender | Sublime Security | 4mo ago Mar 12th, 2025 | /feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489 | |
Spam: Unsolicited malformed PDF | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031 | |
Stripe Invoice Abuse | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/stripe-invoice-abuse-90162d16 | |
Suspicious Attachment: Duplicate decoy PDF files | Sublime Security | 4mo ago Mar 18th, 2025 | /feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7 | |
Suspicious attachment with unscannable Cloudflare link | Sublime Security | 4d ago Jul 16th, 2025 | /feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f | |
Suspicious SharePoint File Sharing | Sublime Security | 3mo ago Apr 11th, 2025 | /feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c | |
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters) | Sublime Security | 2y ago Nov 18th, 2023 | /feeds/core/detection-rules/urlhaus-malicious-domain-in-message-body-or-pdf-attachment-trusted-reporters-cfca2986 |