Sublime Core Feed

This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.

Sublime Security

Last updated Jul 17th, 2025

Feed Source

GitHub

Tactic or Technique is

Rule Name & Severity	Author	Last Updated	Labels
Attachment: Archive contains DLL-loading macro	Sublime Security	2y ago Dec 28th, 2023	Malware/Ransomware Exploit LNK Macros Scripting Archive analysis File analysis Macro analysis YARA	/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment: .csproj with suspicious commands	Sublime Security	2y ago Aug 17th, 2023	Malware/Ransomware Evasion Scripting File analysis	/feeds/core/detection-rules/attachment-csproj-with-suspicious-commands-fe45b81d
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability	Sublime Security	2y ago Dec 19th, 2023	Malware/Ransomware Exploit Macros Scripting Archive analysis Content analysis File analysis Macro analysis OLE analysis	/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability	Sublime Security	4mo ago Mar 21st, 2025	Credential Phishing Scripting Macros Exploit Archive analysis Content analysis File analysis	/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment	@ajpc500	4d ago Jul 16th, 2025	Malware/Ransomware Credential Phishing Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-double-base64-encoded-zip-file-in-html-smuggling-attachment-61ebb07b
Attachment: Embedded Javascript in SVG file	Sublime Security	1mo ago Jun 2nd, 2025	Malware/Ransomware Scripting Archive analysis File analysis Sender analysis XML analysis	/feeds/core/detection-rules/attachment-embedded-javascript-in-svg-file-f70293bc
Attachment: Embedded VBScript in MHT file (unsolicited)	Sublime Security	4d ago Jul 16th, 2025	Malware/Ransomware Evasion Scripting Archive analysis File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-embedded-vbscript-in-mht-file-unsolicited-b30353a6
Attachment: EML containing a base64 encoded script	Sublime Security	1y ago Jan 30th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445
Attachment: EML with Embedded Javascript in SVG File	Sublime Security	3mo ago Apr 17th, 2025	Credential Phishing Malware/Ransomware Scripting Evasion File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-eml-with-embedded-javascript-in-svg-file-dfafb78f
Attachment: Encrypted Microsoft Office file (unsolicited)	Sublime Security	4d ago Jul 16th, 2025	Malware/Ransomware Encryption Macros Scripting Archive analysis File analysis OLE analysis Sender analysis	/feeds/core/detection-rules/attachment-encrypted-microsoft-office-file-unsolicited-1e47e953
Attachment: Fake Slack installer	Sublime Security	2y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f
Attachment: Fake Zoom installer	Sublime Security	2y ago Nov 29th, 2023	Malware/Ransomware Evasion HTML smuggling Impersonation: Brand Scripting Social engineering Archive analysis Computer Vision File analysis HTML analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6
Attachment: File execution via Javascript	Sublime Security	4d ago Jul 16th, 2025	Malware/Ransomware Evasion Scripting Archive analysis File analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-file-execution-via-javascript-627ae0b1
Attachment: HTML Attachment with Javascript location	@vector_sec	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis	/feeds/core/detection-rules/attachment-html-attachment-with-javascript-location-e0611295
Attachment: HTML Attachment with Login Portal Indicators	@ajpc500	4d ago Jul 16th, 2025	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-attachment-with-login-portal-indicators-3aabf4a7
Attachment: HTML file contains exclusively Javascript	Sublime Security	1y ago Feb 1st, 2024	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-html-file-contains-exclusively-javascript-b6d38168
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts	Sublime Security	5mo ago Feb 3rd, 2025	Malware/Ransomware Credential Phishing HTML smuggling Scripting Evasion HTML analysis File analysis Content analysis	/feeds/core/detection-rules/attachment-html-file-with-excessive-const-declarations-and-abnormally-long-timeouts-66f8a07a
Attachment: HTML file with reference to recipient and suspicious patterns	Sublime Security	1y ago May 3rd, 2024	Credential Phishing HTML smuggling Scripting Content analysis File analysis HTML analysis Javascript analysis YARA	/feeds/core/detection-rules/attachment-html-file-with-reference-to-recipient-and-suspicious-patterns-5333493d
Attachment: HTML smuggling 'body onload' linking to suspicious destination	Sublime Security	2y ago Sep 22nd, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-body-onload-linking-to-suspicious-destination-c1e2beed
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text	Sublime Security	2y ago Sep 25th, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-body-onload-with-high-entropy-and-suspicious-text-329ac12d
Attachment: HTML smuggling with atob and high entropy	Sublime Security	10mo ago Aug 29th, 2024	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11
Attachment: HTML smuggling with atob and high entropy via calendar invite	Sublime Security	1mo ago Jun 3rd, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-via-calendar-invite-94d84614
Attachment: HTML smuggling with auto-downloaded file	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-auto-downloaded-file-abf724f5
Attachment: HTML smuggling with base64 encoded JavaScript function	Sublime Security	2y ago Aug 27th, 2023	Credential Phishing Malware/Ransomware HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-base64-encoded-javascript-function-4e8a12ec
Attachment: HTML smuggling with concatenation obfuscation	@vector_sec	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-concatenation-obfuscation-108ab346
Attachment: HTML smuggling with decimal encoding	Sublime Security	4d ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-decimal-encoding-f99213c4
Attachment: HTML smuggling with embedded base64 streamed file download	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware HTML smuggling Scripting Social engineering Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-streamed-file-download-e04de4e2
Attachment: HTML smuggling with eval and atob	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-9f521ca2
Attachment: HTML smuggling with eval and atob via calendar invite	Sublime Security	1mo ago Jun 3rd, 2025	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-eval-and-atob-via-calendar-invite-597c2edd
Attachment: HTML smuggling with excessive line break obfuscation	Sublime Security	2y ago Sep 8th, 2023	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-line-break-obfuscation-7e901440
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns	Sublime Security	10mo ago Aug 27th, 2024	Credential Phishing Evasion HTML smuggling Scripting Social engineering File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d
Attachment: HTML smuggling with fromCharCode and other signals	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-fromcharcode-and-other-signals-a68ce0ef
Attachment: HTML smuggling with high entropy and other signals	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-high-entropy-and-other-signals-be157288
Attachment: HTML smuggling with RC4 decryption	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-rc4-decryption-3a46d765
Attachment: HTML smuggling with ROT13	@Kyle_Parrish_	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Encryption Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis Javascript analysis HTML analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-rot13-6eacc4cf
Attachment: HTML smuggling with setTimeout	Sublime Security	2y ago Aug 21st, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis Content analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-settimeout-4e0b2c32
Attachment: HTML smuggling with unescape	Sublime Security	2y ago Sep 22nd, 2023	Credential Phishing Malware/Ransomware Evasion HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-smuggling-with-unescape-0b0fed36
Attachment: HTML With Emoji-to-Character Map	Sublime Security	4d ago Jul 16th, 2025	Credential Phishing Evasion HTML smuggling Impersonation: Brand Scripting Social engineering File analysis HTML analysis Javascript analysis Sender analysis	/feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086
Attachment: HTML with Hidden Body	Sublime Security	1y ago Jun 24th, 2024	Credential Phishing Evasion Scripting Content analysis HTML analysis File analysis	/feeds/core/detection-rules/attachment-html-with-hidden-body-b059a781
Attachment: HTML with JavaScript Functions for HTTP requests	Sublime Security	1y ago Jul 3rd, 2024	Credential Phishing Evasion Scripting Content analysis HTML analysis Javascript analysis File analysis	/feeds/core/detection-rules/attachment-html-with-javascript-functions-for-http-requests-01e679fd
Attachment: HTML with obfuscation and recipient's email in JavaScript strings	Sublime Security	3mo ago Apr 10th, 2025	Credential Phishing HTML smuggling Scripting Archive analysis File analysis HTML analysis Javascript analysis	/feeds/core/detection-rules/attachment-html-with-obfuscation-and-recipients-email-in-javascript-strings-1aff486b
Attachment: JavaScript file with suspicious base64-encoded executable	Sublime Security	1y ago Apr 1st, 2024	Malware/Ransomware Evasion Scripting Archive analysis File analysis YARA	/feeds/core/detection-rules/attachment-javascript-file-with-suspicious-base64-encoded-executable-b8db0cf3
Attachment: LNK with embedded content	@ajpc500	2y ago Aug 21st, 2023	Malware/Ransomware Exploit LNK Scripting Content analysis Exif analysis File analysis	/feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a
Attachment: Macro Files Containing MHT Content	Sublime Security	1mo ago Jun 12th, 2025	Malware/Ransomware Credential Phishing Evasion Macros Scripting Archive analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation	@ajpc500	2y ago Dec 19th, 2023	Malware/Ransomware Macros Scripting Content analysis File analysis Macro analysis	/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0
Attachment: Malicious OneNote Commands	@Kyle_Parrish_	2y ago Aug 21st, 2023	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA	/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Attachment: Microsoft impersonation via PDF with link and suspicious language	Sublime Security	4d ago Jul 16th, 2025	Credential Phishing Malware/Ransomware Image as content Impersonation: Brand PDF Scripting Social engineering Computer Vision File analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f
Attachment: Office Document with VSTO Add-in	@vector_sec	4d ago Jul 16th, 2025	Malware/Ransomware Scripting Archive analysis Content analysis Exif analysis File analysis Sender analysis URL analysis	/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: Office file with suspicious function calls or downloaded file path	Sublime Security	4d ago Jul 16th, 2025	Malware/Ransomware Evasion Scripting Archive analysis File analysis	/feeds/core/detection-rules/attachment-office-file-with-suspicious-function-calls-or-downloaded-file-path-4c78b969
Attachment: PowerPoint with suspicious hyperlink	Sublime Security	2y ago Aug 21st, 2023	Malware/Ransomware Evasion Scripting Exif analysis File analysis	/feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1