Brand impersonation: Sublime Security

calendar May 18, 2026  ยท
Share on: linkedin copy

Possible attempt to impersonate Sublime Security executives.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Sublime Security"
 2description: |
 3    Possible attempt to impersonate Sublime Security executives.
 4references:
 5  - "https://sandbox.sublimesecurity.com?id=612ff73b-e22d-4176-9e22-2b841b60a237"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and (
11    sender.display_name in~ (
12      'Sublime Security',
13      'Josh Kamdjou',
14      'Joshua Kamdjou',
15      'Ian Thiel'
16    )
17    or strings.ilevenshtein(sender.email.domain.domain, 'sublimesecurity.com') <= 2
18  )
19  and sender.email.domain.root_domain not in (
20    'sublimesecurity.com',
21    'luma-mail.com',
22    'modernloop.io',
23    'tabsplatform.com'
24  )
25  
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )  
34attack_types:
35  - "Credential Phishing"
36tactics_and_techniques:
37  - "Impersonation: Brand"
38  - "Lookalike domain"
39  - "Social engineering"
40detection_methods:
41  - "Sender analysis"
42id: "949484ed-c774-5f53-b91f-cd02ee6104f9"
to-top