Configuring your team's abuse mailbox in Sublime allows you to remediate reported phish faster and automate the busywork of abuse mailboxes, including retrieving the original message reported by the user and taking action like trashing messages from real attacks. Sublime automatically groups messages in the same attack, so you can quickly remediate all messages in an attack based on a single user report.
For clarity, throughout this documentation we call the suspected malicious message forwarded by the user the reported message and the message the abuse mailbox receives when a user forwards the reported message the user forward, which contains the reported message in the body.
Your abuse mailbox can be an actual user mailbox or a mailing list, such as as a Microsoft 365 contact group (also known as a "distribution list") or a Google Group.
If you use a mailing list as your abuse mailbox, you must have an active mailbox subscribed to the mailing list such that it receives every message sent to the mailing list. Sublime will fetch messages sent to the abuse address from the subscribed mailbox.
To configure your abuse mailbox, go to Admin > Account in the Sublime interface, enter your abuse mailbox address in the Abuse mailbox section, and click Save.
When Sublime processes a user forward sent to the abuse mailbox, it fetches the reported message by extracting the
In-Reply-To header from the user forward and using that identifier to look up the reported message.
In most cases, Sublime will store the user forward, including its MDM, so that it can be searched for and inspected, but Sublime will not run any rules on the user forward, both so that you don't end up with additional flagged messages that are redundant with the reported message and so that the user forward is not modified or removed from either the abuse mailbox or subscribers' mailboxes (typically members of the security team), which can interfere with investigations.
The exception, however, is when an external sender sends a message to the abuse mailbox. Sublime will still run rules on such messages to ensure attackers can't bypass Sublime rules by including the abuse mailbox as a recipient.
To view user reports in the Sublime interface, go to Messages > User Reported. This message list view will show all unreviewed reported message groups, regardless of whether the messages were flagged by any rules. You can modify any message filters from this view.
Updated 5 months ago