Introduction

The Sublime Platform lets security and IT teams run custom detection rules on live email flow in Microsoft 365 and Google Workspace environments. IMAP and APIs for direct ingestion are also supported.

Use the Sublime Platform to:

  • block email attacks such as phishing, BEC, and malware
  • threat hunt
  • auto-triage user reports with phishing herd immunity and Triage rules

At its core, Sublime is a rules engine that ingests email messages from arbitrary sources, evaluates them using a powerful query language, and then takes any number of actions like generating a webhook notification or inserting a warning banner. Below is an example of a simple rule:

name: HTML smuggling via attachment
severity: high
source: |
  type.inbound
  and any(attachments, .file_extension in~ ('html', 'htm') 
          and any(file.explode(.),
                  any(.scan.javascript.identifiers, . == "unescape")
          )
  )
tags:
  - "HTML smuggling"