Message types

The Sublime system categorizes the directionality of email messages using the type property in the Message Data Model (MDM).

The message type lets you construct detection rules to address different use cases in your email environment. For example:

  • Inbound for phishing
  • Outbound for DLP
  • Internal for lateral movement (east-west traffic)

Below is how each message type is defined. Message source domains are verified domains associated with your cloud email provider, i.e. Google Workspace or Office 365. Domains are synced daily.

Message Type

Description

type.inbound

The message was received from a sender outside your message source domains.

type.outbound

Messages sent by your organization to at least 1 recipient outside of your message source domains.

type.internal

Messages sent by your organization where at least 1 recipient is in your message source domains.

Messages must be authenticated by either SPF or DKIM to be treated as internal. If a message sent from an organization's message source domain does not pass either SPF or DKIM, it's treated as an inbound message.

A single message could have any of the following combinations of types:

  1. Inbound
  2. Outbound
  3. Internal
  4. Outbound and Internal (a message sent by your organization to both an external and internal recipient)