Sublime Security

Sublime documentation

Welcome to the Sublime Security developer hub. You'll find comprehensive guides and documentation to help you start working with Sublime Security as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    


Welcome to Sublime


Early access

The Sublime Platform is currently only available to early access users. You can request early access here.


The Sublime Platform lets security and IT teams run custom rules on live email flow in Microsoft 365 (fka Office 365) and Google Workspace (fka G Suite) environments. IMAP and APIs for direct ingestion are also supported.

Use the Sublime Platform to:

  • catch phishing attacks and automatically remediate before users report them
  • catch and block attacks that you're receiving right now but can't do anything about

You can see more details about the Sublime Platform on the Versions page.

Coming soon

  • Hunt and backtesting
  • Custom actions
  • Custom enrichments
  • Custom attachment analysis
  • Social graph
  • Client-side controls (warning banners)
  • Link analysis

At its core, Sublime is a rules engine that takes in arbitrary input (like an email message from Office 365 or a reported phish), evaluates it using a powerful query language, and then takes any number of actions. Below is an example of a simple rule:

name: "File sharing link with BEC subject"
type: "rule"
severity: "medium"
source: |
  and any(body.links, .href_url.domain.domain in $free_file_hosts)
  and iregex_search(subject.subject, '\bw2\b', 'w2s', 'immediately', 'urgent')
  alert: smtp

Updated about a month ago


Welcome to Sublime

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.