Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Mar 21st, 2025

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Adobe branded PDF file linking to a password-protected file from untrusted sender	Sublime Security	1y ago Feb 23rd, 2024	Malware/Ransomware Encryption Evasion Impersonation: Brand PDF Archive analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/adobe-branded-pdf-file-linking-to-a-password-protected-file-from-untrusted-sender-5ea75469
Attachment: Archive with pdf, txt and wsf files	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion PDF Archive analysis File analysis	/feeds/core/detection-rules/attachment-archive-with-pdf-txt-and-wsf-files-16b2e239
Attachment: Callback Phishing solicitation via pdf file	Sublime Security	25d ago Feb 26th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Decoy PDF Author (Julie P.)	Sublime Security	5mo ago Oct 2nd, 2024	Credential Phishing Impersonation: Brand PDF File analysis Content analysis Sender analysis	/feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d	Sublime Security	11mo ago Apr 25th, 2024	Credential Phishing Impersonation: Brand PDF Social engineering Header analysis Sender analysis URL analysis File analysis Computer Vision Whois	/feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282
Attachment: Encrypted PDF With Credential Theft Body	Sublime Security	5mo ago Oct 10th, 2024	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Fake scan-to-email	Sublime Security	4mo ago Oct 28th, 2024	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	10mo ago May 2nd, 2024	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: PDF file with Link to Fake Bitcoin Exchange	Sublime Security	2y ago Aug 21st, 2023	BEC/Fraud Free email provider Impersonation: Brand PDF Social engineering Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)	Sublime Security	10mo ago May 3rd, 2024	Malware/Ransomware Evasion PDF Archive analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880
Attachment: PDF file with low reputation link to ZIP file (unsolicited)	Michael Tingle	10mo ago May 3rd, 2024	Malware/Ransomware Evasion PDF Archive analysis File analysis Natural Language Understanding Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Sublime Security	1y ago Jan 30th, 2024	Credential Phishing Free subdomain host PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition Sender analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e
Attachment: PDF with link to DMG file download	Sublime Security	11mo ago Apr 25th, 2024	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0
Attachment: PDF with link to zip containing a wsf file	Sublime Security	11mo ago Apr 25th, 2024	Malware/Ransomware Evasion PDF Archive analysis Content analysis File analysis URL analysis	/feeds/core/detection-rules/attachment-pdf-with-link-to-zip-containing-a-wsf-file-93bc7db4
Attachment: PDF with suspicious language and redirect to suspicious file type	Sublime Security	10mo ago May 22nd, 2024	Malware/Ransomware Credential Phishing Evasion PDF File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/attachment-pdf-with-suspicious-language-and-redirect-to-suspicious-file-type-adda3c3f
Attachment: Python generated PDF with link	@affje0x65	1y ago Feb 7th, 2024	Evasion PDF File analysis	/feeds/core/detection-rules/attachment-python-generated-pdf-with-link-2fec884d
Attachment: QR Code Link With Base64-Encoded Recipient Address	Sublime Security	26d ago Feb 25th, 2025	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: QR Code With Userinfo Portion	Sublime Security	30d ago Feb 21st, 2025	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Attachment: RFP/RFQ impersonating government entities	Sublime Security	1y ago Jan 30th, 2024	BEC/Fraud Impersonation: Brand PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3
Brand impersonation: Adobe (QR code)	Sublime Security	27d ago Feb 24th, 2025	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d
Brand Impersonation: DocuSign pdf attachment with suspicious link	Sublime Security	1mo ago Feb 3rd, 2025	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7
Brand impersonation: DocuSign (QR code)	Sublime Security	9mo ago Jun 12th, 2024	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-qr-code-0b16c28a
Brand Impersonation: Google (QR Code)	Sublime Security	11mo ago Apr 3rd, 2024	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-google-qr-code-7ffd184c
Brand impersonation: Microsoft (QR code)	Sublime Security	7mo ago Aug 9th, 2024	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a
Callback Phishing: Social Security Administration Fraud	Sublime Security	27d ago Feb 24th, 2025	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	Sublime Security	1mo ago Feb 3rd, 2025	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis	/feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213
PDF attachment with Google (AE) redirecting to a php or zip file	Sublime Security	2y ago Sep 26th, 2023	Malware/Ransomware Open redirect PDF Content analysis File analysis URL analysis	/feeds/core/detection-rules/pdf-attachment-with-google-ae-redirecting-to-a-php-or-zip-file-57ae513f
Sharepoint Link Likely Unrelated to Sender	Sublime Security	11d ago Mar 12th, 2025	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis	/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Spam: Unsolicited malformed PDF	Sublime Security	10mo ago May 23rd, 2024	Spam Evasion Free email provider PDF Content analysis File analysis Sender analysis	/feeds/core/detection-rules/spam-unsolicited-malformed-pdf-f0c50031
Stripe Invoice Abuse	Sublime Security	2y ago Aug 21st, 2023	BEC/Fraud Callback Phishing PDF File analysis Header analysis	/feeds/core/detection-rules/stripe-invoice-abuse-90162d16
Suspicious Attachment: Duplicate decoy PDF files	Sublime Security	5d ago Mar 18th, 2025	Credential Phishing Evasion PDF File analysis Optical Character Recognition	/feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7
Suspicious SharePoint File Sharing	Sublime Security	3mo ago Dec 18th, 2024	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)	Sublime Security	2y ago Nov 18th, 2023	Credential Phishing Malware/Ransomware PDF File analysis Threat intelligence URL analysis	/feeds/core/detection-rules/urlhaus-malicious-domain-in-message-body-or-pdf-attachment-trusted-reporters-cfca2986