Add your abuse mailbox


Configuring your team's abuse mailbox in Sublime allows you to remediate reported phish faster and automate the busywork of abuse mailboxes, including retrieving the original message reported by the user and taking action like trashing messages from real attacks. Sublime automatically groups messages in the same attack, so you can quickly remediate all messages in an attack based on a single user report.


For clarity, throughout this documentation we call the suspected malicious message forwarded by the user the reported message and the message the abuse mailbox receives when a user sends the reported message the reporting message, which contains the reported message in the body or as an attachment.


Your abuse mailbox can be an actual user mailbox or a mailing list, such as as a Microsoft 365 contact group (also known as a "distribution list") or a Google Group.

If you use a mailing list as your abuse mailbox, you must have an active mailbox subscribed to the mailing list such that it receives every message sent to the mailing list. Sublime will fetch messages sent to the abuse address from the subscribed mailbox.

To configure your abuse mailbox, go to Admin > Account in the Sublime interface, enter your abuse mailbox address in the Abuse mailbox section, and click Save.

How Sublime processes abuse mailbox messages

When Sublime processes a reporting message sent to the abuse mailbox, it fetches the reported message by either:

  1. extracting the In-Reply-To header from the reporting message and using that identifier to look up the reported message.
  2. if the reporting message does not include an In-Reply-To header (usually meaning it wasn't sent using an email client's forwarding feature), or if Sublime cannot find a message matching the In-Reply-To header, Sublime will look for one or more attachments to the reporting message with an .eml extension and use the Message-ID header of each such attachment to look up the reported message or messages.

Processing of the reporting message

In most cases, Sublime will store the reporting message, including its MDM, so that it can be searched for and inspected, but Sublime will not run any rules on the reporting message, both so that you don't end up with additional flagged messages that are redundant with the reported message and so that the reporting message is not modified or removed from either the abuse mailbox or subscribers' mailboxes (typically members of the security team), which can interfere with investigations.


The exception, however, is when an external sender sends a message to the abuse mailbox. Sublime will still run rules on such messages to ensure attackers can't bypass Sublime rules by including the abuse mailbox as a recipient.

Viewing user reports

To view user reports in the Sublime interface, go to Messages > User Reported. This message list view will show all unreviewed reported message groups, regardless of whether the messages were flagged by any rules. You can modify any message filters from this view.


What’s Next