Sublime Security

Sublime Core Feed
Free subdomain host
Learn More
Login to Sublime
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
ICS Phishing
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Tactic or Technique: Free subdomain host
Attackers often use free subdomain hosting platforms—like *.web.app, *.netlify.app, or *.github.io—to create phishing sites that look more trustworthy than they are. These services let anyone spin up a website under a well-known domain, which helps malicious pages inherit the reputation of the larger platform.
When you get a phishing email with a link to one of these subdomains, the parent domain may look familiar and safe. But the subdomain itself often hosts fake login pages or malware downloads, making it hard to tell what’s real and what’s not.
Because these hosting providers are widely used for legitimate purposes, blocking them outright isn’t practical for most organizations. That makes this tactic especially tricky—it hides malicious content behind domains people trust, and it forces defenders to find more precise ways to detect threats without disrupting day-to-day business.
Blog Post
Living Off the Land: Credential Phishing via Docusign abuse · Blog · Sublime Security
Sublime Security Attack Spotlight: Credential phishing attempt using Docusign service to deliver multi-stage malicious links via fake PDF.
Attack Types (5):
BEC/Fraud
Credential Phishing
Spam
Malware/Ransomware
Callback Phishing
Detection Methods (16):
Natural Language Understanding
URL analysis
Sender analysis
Header analysis
Content analysis
Computer Vision
Optical Character Recognition
Archive analysis
File analysis
Javascript analysis
Whois
HTML analysis
Exif analysis
Threat intelligence
QR code analysis
URL screenshot
Rule Name & Severity
Last Updated
Types, Tactics & Capabilities
Link: File sharing impersonation with suspicious language and sending patterns
12d ago
Apr 30th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Free subdomain host
Impersonation: Brand
Natural Language Understanding
URL analysis
Sender analysis
Header analysis
Content analysis
BEC/Fraud
Credential Phishing
Social engineering
Free subdomain host
Impersonation: Brand
Natural Language Understanding
URL analysis
Sender analysis
Header analysis
Content analysis
Brand impersonation: Fake Fax
12d ago
Apr 30th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis
Attachment: Calendar invite with suspicious link leading to an open redirect
14d ago
Apr 28th, 2026
Sublime Security
Spam
Free email provider
Free file host
Free subdomain host
ICS Phishing
Open redirect
Content analysis
URL analysis
Spam
Free email provider
Free file host
Free subdomain host
ICS Phishing
Open redirect
Content analysis
URL analysis
Attachment: HTML smuggling Microsoft sign in
15d ago
Apr 27th, 2026
Sublime Security
Credential Phishing
Free subdomain host
HTML smuggling
Impersonation: Brand
Social engineering
Archive analysis
Content analysis
File analysis
Header analysis
Javascript analysis
Sender analysis
URL analysis
Credential Phishing
Free subdomain host
HTML smuggling
Impersonation: Brand
Social engineering
Archive analysis
Content analysis
File analysis
Header analysis
Javascript analysis
Sender analysis
URL analysis
Credential phishing: Onedrive impersonation
15d ago
Apr 27th, 2026
Sublime Security
Credential Phishing
Free subdomain host
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
Credential Phishing
Free subdomain host
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
URL analysis
Self-sender with copy/paste instructions and suspicious domains (French/Français)
26d ago
Apr 16th, 2026
Sublime Security
Credential Phishing
Evasion
Free subdomain host
Social engineering
Content analysis
Header analysis
Sender analysis
Credential Phishing
Evasion
Free subdomain host
Social engineering
Content analysis
Header analysis
Sender analysis
Link: Tax document lure Portuguese/Spanish with suspicious domains
28d ago
Apr 14th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Social engineering
Content analysis
URL analysis
Whois
BEC/Fraud
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Social engineering
Content analysis
URL analysis
Whois
Service abuse: GitHub notification with excessive mentions and suspicious links
1mo ago
Apr 7th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Social engineering
Header analysis
URL analysis
Sender analysis
Whois
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Social engineering
Header analysis
URL analysis
Sender analysis
Whois
Service abuse: Google Firebase sender address with suspicious content
1mo ago
Apr 2nd, 2026
Sublime Security
Spam
Credential Phishing
Free subdomain host
Social engineering
Content analysis
Header analysis
HTML analysis
Natural Language Understanding
Sender analysis
URL analysis
Whois
Spam
Credential Phishing
Free subdomain host
Social engineering
Content analysis
Header analysis
HTML analysis
Natural Language Understanding
Sender analysis
URL analysis
Whois
Attachment: PDF bid/proposal lure with credential theft indicators
1mo ago
Mar 27th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
Link: Financial account issue with suspicious indicators
1mo ago
Mar 24th, 2026
Sublime Security
Credential Phishing
Free file host
Free subdomain host
Social engineering
Content analysis
Natural Language Understanding
URL analysis
Whois
Credential Phishing
Free file host
Free subdomain host
Social engineering
Content analysis
Natural Language Understanding
URL analysis
Whois
Link: Free file hosting with undisclosed recipients
1mo ago
Mar 19th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Evasion
Header analysis
URL analysis
Sender analysis
Natural Language Understanding
Credential Phishing
Malware/Ransomware
Free file host
Free subdomain host
Evasion
Header analysis
URL analysis
Sender analysis
Natural Language Understanding
Service abuse: Google OAuth with suspicious redirect destination
2mo ago
Mar 12th, 2026
Sublime Security
Credential Phishing
Evasion
Free file host
Free subdomain host
Open redirect
Social engineering
URL analysis
Threat intelligence
Credential Phishing
Evasion
Free file host
Free subdomain host
Open redirect
Social engineering
URL analysis
Threat intelligence
Link: Commonly Abused Web Service redirecting to ZIP file
2mo ago
Mar 10th, 2026
Sublime Security
Malware/Ransomware
Free file host
Free subdomain host
Open redirect
Evasion
URL analysis
Whois
Archive analysis
Malware/Ransomware
Free file host
Free subdomain host
Open redirect
Evasion
URL analysis
Whois
Archive analysis
Link: Blogspot hosting explicit romance content
2mo ago
Mar 9th, 2026
Sublime Security
Spam
Free subdomain host
Social engineering
Natural Language Understanding
URL analysis
Spam
Free subdomain host
Social engineering
Natural Language Understanding
URL analysis
Link: Multistage landing - ClickUp abuse
2mo ago
Feb 27th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
Free file host
Free subdomain host
Open redirect
URL analysis
Whois
Content analysis
Credential Phishing
Malware/Ransomware
Evasion
Free file host
Free subdomain host
Open redirect
URL analysis
Whois
Content analysis
Attachment: PDF with multistage landing - ClickUp abuse
2mo ago
Feb 27th, 2026
Sublime Security
Credential Phishing
Evasion
Free file host
Free subdomain host
PDF
Social engineering
File analysis
URL analysis
Whois
Credential Phishing
Evasion
Free file host
Free subdomain host
PDF
Social engineering
File analysis
URL analysis
Whois
Link: WordPress login page with Blogspot Binance scam
2mo ago
Feb 17th, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Social engineering
Free subdomain host
Impersonation: Brand
Content analysis
URL analysis
Credential Phishing
BEC/Fraud
Social engineering
Free subdomain host
Impersonation: Brand
Content analysis
URL analysis
ClickFunnels link infrastructure abuse
3mo ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Free email provider
Free subdomain host
Social engineering
Content analysis
Header analysis
QR code analysis
Sender analysis
URL analysis
Credential Phishing
Free email provider
Free subdomain host
Social engineering
Content analysis
Header analysis
QR code analysis
Sender analysis
URL analysis
Link: Tycoon2FA phishing kit (non-exhaustive)
3mo ago
Jan 23rd, 2026
Sublime Security
Credential Phishing
Free subdomain host
Evasion
Credential Phishing
URL analysis
HTML analysis
Content analysis
Credential Phishing
Free subdomain host
Evasion
Credential Phishing
URL analysis
HTML analysis
Content analysis
Page 1 of 3

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Link: File sharing impersonation with suspicious language and sending patterns	12d ago Apr 30th, 2026	Sublime Security	BEC/Fraud Credential Phishing Social engineering Free subdomain host Impersonation: Brand Natural Language Understanding URL analysis Sender analysis Header analysis Content analysis
Brand impersonation: Fake Fax	12d ago Apr 30th, 2026	Sublime Security	Credential Phishing Impersonation: Brand Image as content Free file host Free subdomain host Social engineering Computer Vision Content analysis Optical Character Recognition Sender analysis URL analysis
Attachment: Calendar invite with suspicious link leading to an open redirect	14d ago Apr 28th, 2026	Sublime Security	Spam Free email provider Free file host Free subdomain host ICS Phishing Open redirect Content analysis URL analysis
Attachment: HTML smuggling Microsoft sign in	15d ago Apr 27th, 2026	Sublime Security	Credential Phishing Free subdomain host HTML smuggling Impersonation: Brand Social engineering Archive analysis Content analysis File analysis Header analysis Javascript analysis Sender analysis URL analysis
Credential phishing: Onedrive impersonation	15d ago Apr 27th, 2026	Sublime Security	Credential Phishing Free subdomain host Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding URL analysis
Self-sender with copy/paste instructions and suspicious domains (French/Français)	26d ago Apr 16th, 2026	Sublime Security	Credential Phishing Evasion Free subdomain host Social engineering Content analysis Header analysis Sender analysis
Link: Tax document lure Portuguese/Spanish with suspicious domains	28d ago Apr 14th, 2026	Sublime Security	BEC/Fraud Credential Phishing Malware/Ransomware Free file host Free subdomain host Social engineering Content analysis URL analysis Whois
Service abuse: GitHub notification with excessive mentions and suspicious links	1mo ago Apr 7th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Free file host Free subdomain host Social engineering Header analysis URL analysis Sender analysis Whois
Service abuse: Google Firebase sender address with suspicious content	1mo ago Apr 2nd, 2026	Sublime Security	Spam Credential Phishing Free subdomain host Social engineering Content analysis Header analysis HTML analysis Natural Language Understanding Sender analysis URL analysis Whois
Attachment: PDF bid/proposal lure with credential theft indicators	1mo ago Mar 27th, 2026	Sublime Security	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Link: Financial account issue with suspicious indicators	1mo ago Mar 24th, 2026	Sublime Security	Credential Phishing Free file host Free subdomain host Social engineering Content analysis Natural Language Understanding URL analysis Whois
Link: Free file hosting with undisclosed recipients	1mo ago Mar 19th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Free file host Free subdomain host Evasion Header analysis URL analysis Sender analysis Natural Language Understanding
Service abuse: Google OAuth with suspicious redirect destination	2mo ago Mar 12th, 2026	Sublime Security	Credential Phishing Evasion Free file host Free subdomain host Open redirect Social engineering URL analysis Threat intelligence
Link: Commonly Abused Web Service redirecting to ZIP file	2mo ago Mar 10th, 2026	Sublime Security	Malware/Ransomware Free file host Free subdomain host Open redirect Evasion URL analysis Whois Archive analysis
Link: Blogspot hosting explicit romance content	2mo ago Mar 9th, 2026	Sublime Security	Spam Free subdomain host Social engineering Natural Language Understanding URL analysis
Link: Multistage landing - ClickUp abuse	2mo ago Feb 27th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Evasion Free file host Free subdomain host Open redirect URL analysis Whois Content analysis
Attachment: PDF with multistage landing - ClickUp abuse	2mo ago Feb 27th, 2026	Sublime Security	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
Link: WordPress login page with Blogspot Binance scam	2mo ago Feb 17th, 2026	Sublime Security	Credential Phishing BEC/Fraud Social engineering Free subdomain host Impersonation: Brand Content analysis URL analysis
ClickFunnels link infrastructure abuse	3mo ago Feb 5th, 2026	Sublime Security	Credential Phishing Free email provider Free subdomain host Social engineering Content analysis Header analysis QR code analysis Sender analysis URL analysis
Link: Tycoon2FA phishing kit (non-exhaustive)	3mo ago Jan 23rd, 2026	Sublime Security	Credential Phishing Free subdomain host Evasion Credential Phishing URL analysis HTML analysis Content analysis