Sublime Core Feed
This repo contains open-source Rules for Sublime, a free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing.
Sublime Security
Last updated May 23rd, 2025
Feed Source
Tactic or Technique is
Rule Name & Severity | Author | Last Updated | Labels | |
|---|---|---|---|---|
Advance Fee Fraud (AFF) from freemail provider or suspicious TLD | Sublime Security | 1mo ago Apr 11th, 2025 | /feeds/core/detection-rules/advance-fee-fraud-aff-from-freemail-provider-or-suspicious-tld-6a5af373 | |
Attachment: Archive containing HTML file with file scheme link | Sublime Security | 1y ago Mar 7th, 2024 | /feeds/core/detection-rules/attachment-archive-containing-html-file-with-file-scheme-link-edf6d0d9 | |
Attachment: Callback Phishing solicitation via image file | @vector_sec | 2mo ago Mar 12th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-image-file-60acbb36 | |
Attachment: Callback Phishing solicitation via pdf file | Sublime Security | 1mo ago Mar 27th, 2025 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Attachment: Callback Phishing solicitation via text-based file with a large unknown recipient list | Sublime Security | 10mo ago Jul 26th, 2024 | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-text-based-file-with-a-large-unknown-recipient-list-ca39c83a | |
Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d | Sublime Security | 1y ago Apr 25th, 2024 | /feeds/core/detection-rules/attachment-docusign-impersonation-pdf-linking-to-new-domain-less3d-f0c96282 | |
Attachment: Dropbox image lure with no Dropbox domains in links | Sublime Security | 1y ago Jan 23rd, 2024 | /feeds/core/detection-rules/attachment-dropbox-image-lure-with-no-dropbox-domains-in-links-500eee2d | |
Attachment: EML containing a base64 encoded script | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-eml-containing-a-base64-encoded-script-fc3d9445 | |
Attachment: EML with link to credential phishing page | Sublime Security | 8mo ago Sep 13th, 2024 | /feeds/core/detection-rules/attachment-eml-with-link-to-credential-phishing-page-1df41cca | |
Attachment: EML with Suspicious Indicators | Sublime Security | 1mo ago Apr 18th, 2025 | /feeds/core/detection-rules/attachment-eml-with-suspicious-indicators-deb5d08d | |
Attachment: Encrypted PDF With Credential Theft Body | Sublime Security | 7mo ago Oct 10th, 2024 | /feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a | |
Attachment: Fake attachment image lure | Sublime Security | 1mo ago Apr 11th, 2025 | /feeds/core/detection-rules/attachment-fake-attachment-image-lure-96b8b285 | |
Attachment: Fake scan-to-email | Sublime Security | 6mo ago Oct 28th, 2024 | /feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1 | |
Attachment: Fake secure message and suspicious indicators | Sublime Security | 8mo ago Sep 16th, 2024 | /feeds/core/detection-rules/attachment-fake-secure-message-and-suspicious-indicators-20a34d94 | |
Attachment: Fake Slack installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-slack-installer-cded2d2f | |
Attachment: Fake Voicemail via PDF | Sublime Security | 23d ago Apr 30th, 2025 | /feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209 | |
Attachment: Fake Zoom installer | Sublime Security | 2y ago Nov 29th, 2023 | /feeds/core/detection-rules/attachment-fake-zoom-installer-840a12a6 | |
Attachment: HTML Smuggling Microsoft Sign In | Sublime Security | 1y ago Jan 31st, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-microsoft-sign-in-878d6385 | |
Attachment: HTML smuggling with embedded base64 streamed file download | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-html-smuggling-with-embedded-base64-streamed-file-download-e04de4e2 | |
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns | Sublime Security | 8mo ago Aug 27th, 2024 | /feeds/core/detection-rules/attachment-html-smuggling-with-excessive-string-concatenation-and-suspicious-patterns-e34fce8d | |
Attachment: HTML With Emoji-to-Character Map | Sublime Security | 5mo ago Dec 2nd, 2024 | /feeds/core/detection-rules/attachment-html-with-emoji-to-character-map-3119d086 | |
Attachment: Link to Doubleclick.net Open Redirect | Sublime Security | 7mo ago Oct 24th, 2024 | /feeds/core/detection-rules/attachment-link-to-doubleclicknet-open-redirect-506c16cc | |
Attachment: Microsoft 365 Credential Phishing | Sublime Security | 7mo ago Oct 16th, 2024 | /feeds/core/detection-rules/attachment-microsoft-365-credential-phishing-edce0229 | |
Attachment: Microsoft impersonation via PDF with link and suspicious language | Sublime Security | 1y ago May 2nd, 2024 | /feeds/core/detection-rules/attachment-microsoft-impersonation-via-pdf-with-link-and-suspicious-language-70d41c7f | |
Attachment: Office file contains OLE relationship to credential phishing page | Sublime Security | 5mo ago Dec 18th, 2024 | /feeds/core/detection-rules/attachment-office-file-contains-ole-relationship-to-credential-phishing-page-d55793d0 | |
Attachment: PDF file with Link to Fake Bitcoin Exchange | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7 | |
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited) | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-pdf-with-credential-theft-language-and-link-to-a-free-subdomain-unsolicited-90f4ef4e | |
Attachment: QR Code Link With Base64-Encoded Recipient Address | Sublime Security | 1mo ago Mar 27th, 2025 | /feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a | |
Attachment: QR code with credential phishing indicators | Sublime Security | 1mo ago Apr 14th, 2025 | /feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1 | |
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender | Sublime Security | 1y ago Apr 3rd, 2024 | /feeds/core/detection-rules/attachment-rfc822-containing-suspicious-file-sharing-language-with-links-from-untrusted-sender-d96854d7 | |
Attachment: RFP/RFQ impersonating government entities | Sublime Security | 1y ago Jan 30th, 2024 | /feeds/core/detection-rules/attachment-rfprfq-impersonating-government-entities-3b73e3b3 | |
Attachment: Small text file with link containing recipient email address | Sublime Security | 7mo ago Oct 23rd, 2024 | /feeds/core/detection-rules/attachment-small-text-file-with-link-containing-recipient-email-address-c0472c9d | |
Attachment: Suspicious Employee Policy Update Document Lure | Sublime Security | 1mo ago Mar 31st, 2025 | /feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1 | |
Attachment with VBA macros from employee impersonation (unsolicited) | Sublime Security | 1y ago Feb 26th, 2024 | /feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123 | |
BEC: Employee impersonation with subject manipulation | Sublime Security | 1y ago Jan 22nd, 2024 | /feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b | |
BEC/Fraud: Generic Scam attempt to Undisclosed Receipients | Sublime Security | 1y ago Apr 23rd, 2024 | /feeds/core/detection-rules/becfraud-generic-scam-attempt-to-undisclosed-receipients-5dac401f | |
BEC/Fraud: Romance Scam | Sublime Security | 2y ago Nov 23rd, 2023 | /feeds/core/detection-rules/becfraud-romance-scam-0243cdaa | |
BEC/Fraud - Student loan callback phishing | Sublime Security | 7mo ago Oct 4th, 2024 | /feeds/core/detection-rules/becfraud-student-loan-callback-phishing-a71f82c3 | |
BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns | Sublime Security | 2mo ago Mar 10th, 2025 | /feeds/core/detection-rules/becfraud-urgent-language-and-suspicious-sendinginfrastructure-patterns-ba8a79e0 | |
BEC with unusual Reply-to or Return-path mismatch | Sublime Security | 8mo ago Aug 27th, 2024 | /feeds/core/detection-rules/bec-with-unusual-reply-to-or-return-path-mismatch-83e5e2df | |
Benefits Enrollment Impersonation | Sublime Security | 3mo ago Jan 30th, 2025 | /feeds/core/detection-rules/benefits-enrollment-impersonation-5a6eb5a8 | |
Brand impersonation: Adobe with suspicious language and link | Sublime Security | 8mo ago Sep 19th, 2024 | /feeds/core/detection-rules/brand-impersonation-adobe-with-suspicious-language-and-link-32cc8bf1 | |
Brand impersonation: ADP | Sublime Security | 1y ago Jan 9th, 2024 | /feeds/core/detection-rules/brand-impersonation-adp-bb9cf46b | |
Brand Impersonation: AliExpress | Sublime Security | 25d ago Apr 28th, 2025 | /feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8 | |
Brand impersonation: Amazon | Sublime Security | 1mo ago Apr 18th, 2025 | /feeds/core/detection-rules/brand-impersonation-amazon-13fc967d | |
Brand impersonation: Amazon with suspicious attachment | Sublime Security | 9d ago May 14th, 2025 | /feeds/core/detection-rules/brand-impersonation-amazon-with-suspicious-attachment-5751dcb9 | |
Brand impersonation: American Express (AMEX) | Sublime Security | 8mo ago Sep 12th, 2024 | /feeds/core/detection-rules/brand-impersonation-american-express-amex-992a9fa9 | |
Brand impersonation: Apple | Sublime Security | 2y ago Aug 21st, 2023 | /feeds/core/detection-rules/brand-impersonation-apple-0b17f2c2 | |
Brand impersonation: Aramco | Sublime Security | 7mo ago Oct 10th, 2024 | /feeds/core/detection-rules/brand-impersonation-aramco-96e87699 | |
Brand impersonation: Bank of America | Sublime Security | 11mo ago Jun 14th, 2024 | /feeds/core/detection-rules/brand-impersonation-bank-of-america-d2fc6ea1 |