I’m extremely excited to announce that
@sublime_sec
has raised a $20M Series A led by
@indexventures
with participation from
@DAlperovitch
I wrote about our journey from black box to open platform, and where we're headed:
We've open sourced the lists we maintain and use primarily for phishing defense.
Includes:
- free email providers
- free subdomain hosts
- url shorteners
- suspicious content
- many more
Contributions welcome.
Defenders know their environments better than anyone, but they haven't been able to truly capitalize on that knowledge in email — until today.
Sublime Platform is now generally available. Deploy in minutes using Docker, for free.
We've observed an increase in attackers abusing legitimate, high reputation services such as DocuSign to deliver callback phishing attacks. These are actual messages from DocuSign, and pass SPF/DKIM/DMARC.
In the past, we've observed this via PayPal Invoice abuse and others.
Sublime has observed an increase in QR code credential phishing attacks over the past several weeks.
We've enabled a new scanner to decode QR codes embedded in message bodies or attachments, and pushed new coverage to prevent these attacks:
It's been a busy week for QR code phishing, so
@samkscholten
put together a deep dive on how Sublime detects and decodes these email attacks with our open source rules:
Announcing Whois enrichments: You can now block email messages from newly registered domains.
Whois is available as a new MQL function, beta.whois(), so you can enrich any domain in the message including the sender, link domains, or domains found in attachments.
We're excited to launch Attack Surface Reduction for email.
On endpoints, app allowlisting leaves attackers with fewer ways to perform attacks. On networks, Secure Web Gateways can block outbound requests to new domains.
Now, you can do the same in Microsoft 365 & Google 🧵
New blog:
@filar
shares how Sublime uses Siamese Neural Networks, Object Detection, and other signals within MQL to identify credential phishing attacks.
You can now use MQL to detect HTML Smuggling attacks delivered via email body links.
Detect+block+hunt for these techniques, recently observed to deliver Qakbot and other malware:
- URL->Encrypted zip->ISO
- URL->Zip->ISO->LNK
- URL->Zip->IMG->VBS
- and more
How it works:
We’re very excited to finally write about
@emailrepio
, a free API we released for querying email reputation. It’s been invaluable for
#phishing
defense and now supports reporting of malicious senders from trusted researchers and organizations.
We're excited to launch Sublime Thoughts: our new Blog.
Our first post features
@rw_access
introducing the magic behind Sublime: Message Query Language (MQL), the first universal DSL purpose-built for preventing email attacks, threat hunting, and more.
Join our next Email Detection Engineering Workshop Sept 13! Get insights from
@jkamdjou
&
@ajpc500
on the latest email threats and hunt for them in a lab environment. Register here:
We've released a new detection for an ongoing Pikabot campaign:
This covers both behavioral detection of the delivery technique (Plaintext URL -> Archive -> JS) as well as IOCs in
@abuse_ch
URLhaus + MalwareBazaar
h/t
@affje0x65
@k3dg3
@samkscholten
Today we released public Rule pages for all Rules in the Sublime Core Feed! These pages make it easier to share Sublime Rules with your favorite security peers or team members.
Sublime has observed credential phishing actors leveraging legitimate Dropbox infrastructure to deliver malicious links.
In this sample, the actors also leverage a known callback phishing technique - Geek Squad impersonation (via a lookalike "GeekSupport" to avoid detection) -…
We've observed an uptick in QR Code phishing attacks that impersonate a DocuSign message. The recipient's brand logo (blurred at the top of the message) is leveraged to bolster legitimacy.
Scanning the QR Code takes users to a Microsoft credential phishing page.
h/t…
Excited to share that Founder/CEO
@jkamdjou
and
@ajpc500
, Co-Founder of
@delivr_to
, will lead a
@defcon
workshop on email detection engineering & threat hunting!
Get insights on how to defend against the latest techniques used to deliver QakBot/Emotet, BEC, HTML smuggling, +
🚨Emotet Awakens🚨 As of 1200UTC Ivan finally got E4 to send spam. We are seeing Red Dawn templates that are very large coming in at over 500MB. Currently seeing a decent flow of spam. Septet of payload URLs and ugly macros. Sample: 1/3
A teaser wouldn’t be a teaser if we showed the entire thing right? Follow
@jkamdjou
and
@ianthiel
during
#DEFCON31
to find out where they’ll be to say hello and snag this year’s exclusive swag! 🧝♂️❤️🔥✉️
Announcing job scam detection using our Natural Language Understanding (NLU) model.
Our NLU model now supports a new intent classification, job scam, to detect messages that contain money-laundering, identity theft, or pay-to-work scams.
New Feed Rule:
We're excited to share Sublime now supports integration w/ Microsoft 365 tenants running in GCC and GCC High, Microsoft’s cloud platform for cleared personnel and orgs supporting the Dept of Defense.
New
@tines_hq
/
@Anomali
/
@sublime_sec
story just dropped.
Collect data on threat actors from Anomali ThreatStream and block observables in mail flow using Sublime:
New blog from
@filar
: What makes BEC attacks hard to identify, and how Natural Language Understanding (NLU) + Message Query Language (MQL) can detect and prevent these threats at scale.
Callback Phishing may seem like a low-level nuisance, but its impact can be quite devastating. We wrote about that here and documented our interactions with a scammer:
We've observed an increase in attackers abusing legitimate, high reputation services such as DocuSign to deliver callback phishing attacks. These are actual messages from DocuSign, and pass SPF/DKIM/DMARC.
In the past, we've observed this via PayPal Invoice abuse and others.
New detection rule live from
@samkscholten
for this recent Qakbot technique:
Attachment archive with WSF file
Deploy this now to block, or Hunt. For free.
Check out our latest
@tines_hq
story! Analysts alert users about their phishing reports via
@sublime_sec
, ensuring crucial feedback is provided. Stay posted for more! 👇
Join us for the next detection workshop in two weeks!
@jkamdjou
and
@ajpc500
will take you through the latest QR code and callback phishing attacks + how to hunt for them in a lab environment. Register here:
See you at RSAC 2024 in two weeks!
Catch up with us on all things email security at:
- booth 6184 in the North Expo
- a jam session with
@jkamdjou
and
@ianthiel
- happy hour w/ our friends
@limacharlieio
and
@runpanther
Full details here:
The Sublime Team is headed to London next week! 🎡
See you at
@BSidesLondon
on 9th Dec for
@jkamdjou
’s talk on the latest social engineering techniques like QR code phishing and HTML smuggling:
The latest from
@samkscholten
: Detecting recent QakBot initial access methods, including WSF and OneNote attachments, and generic attack surface reduction techniques.
Announcing dynamic system lists.
Sublime rules can now leverage basic historical context to answer questions like:
- Has this sender's email address or domain ever contacted my organization before?
- Has anyone in my organization contacted this sender's email or domain before?
Sublime Core & Enterprise users: next time you access the flagged messages alert queue, you’ll see an updated interface to expedite your triage actions and investigation workflow.
We’ve seen these
@sublime_sec
quite a bit - they’re abusing a legit PayPal service/API so it’s actually coming from them and passing SPF/DMARC. A generic greeting without the user’s name is one of the dead giveaways
Join us Oct 24 & 26 at our next Email Detection Engineering Workshop!
@jkamdjou
and
@ajpc500
will take you through timely attack types and techniques like QR code phishing, HTML smuggling via links, and more while you hunt for them in a lab environment:
Our DEF CON 31 workshop may be full, but there are some spots still available
@BSidesLV
on Aug 9. Come hunt for various email attack types in a lab environment w/
@jkamdjou
and
@ajpc500
!
Announcing historical message ingestion.
Sublime now supports rapid ingestion of historical messages, making up to 30 days of message history available for immediate analysis and threat hunting and up to one year of historical context.
More here:
We released a new Natural Language Understanding (NLU) tag for advance fee fraud to identify BEC attacks requesting upfront payment in advance of receiving proceeds, money, stock, donations, and more. See how it works in this new Rule:
[New
@tines_io
Story] Use threat intelligence from
@RecordedFuture
to automatically create detection rules in
@sublime_sec
and alert on new email attacks.
Extend the story to automate blocking and retroactively hunt for new threat actor indicators:
Announcing arbitrary Webhook actions.
Write a rule to flag any type of behavior in your email environment, set it active on any or all of the mailboxes in your domain, and trigger a webhook notification to an arbitrary HTTP(S) endpoint.
Available to all free Platform users now.
We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/?
Sublime now offers an AWS CloudFormation template for self-managed deployment to Stockholm (eu-north-1), Canada (ca-central-1), Sydney (ap-southeast-2), and Zurich (eu-central-2)!
Sublime is observing callback phishing campaigns leveraging tax-themed lures.
These campaigns highlight how attackers continue to use seasonal and timely themes to trick unsuspecting users as the US tax deadline is only a week away.
h/t
@samkscholten
Excited that my
@BSidesLV
talk has been accepted! I will be introducing BabbelPhish, our upcoming open source framework for text-to-code generation. I'll also show how
@sublime_sec
uses LLMs to make it easier for detection engineers to grasp our DSL.
Sublime Enterprise users can now create a custom in-message warning banner to share org-specific content like security team contact info, how to report suspicious messages, and more.
Examples:
- Send HTML or Zip attachments from external domains to your SOAR, run them in
@virustotal
or
@joe4security
- Send links hosted on a free subdomain (like azurewebsites[.]net) to your SOAR and run them in
@urlscanio
to detect credential phishing
Historically, it's been hard to do ASR in email for a few reasons:
- Black boxes offer little customization or control
- Users need to express complex behavior with minimal FPs
- With the migration to Cloud email, there's even less control than a traditional mail filter
Finally, here's another rule to detect URL -> {Archives} -> LNK, JS, or VBA file delivery. Since the initial file download is passed to binexplode(), this means LNKs can be detected several layers deep within archives.
Rule source:
If you're attending RSA next week:
@filar
will give a talk at our booth on Tues & Wed at 10:45am. Learn how explainable, transparent machine learning provides much-needed confidence and context in your triage workflow.
Join us Oct 24 & 26 at our next Email Detection Engineering Workshop!
@jkamdjou
and
@ajpc500
will take you through timely attack types and techniques like QR code phishing, HTML smuggling via links, and more while you hunt for them in a lab environment:
Here's a sample ASR Rule to detect inbound messages from newly registered sender domains that you’ve never spoken to before:
type.inbound
and beta.whois(sender․email.domain).days_old < 30
and not profile․by_sender().solicited
Here's a simple detection rule to reduce attack surface from CVE-2021-40444 by alerting on .docx, .rtf, and .pptx attachments *from first-time senders*:
type.inbound
and any(attachments, .file_type in ('docx', 'pptx', 'rtf'))
and sender[.]email[.]email not in $\sender_emails
All Core Feed Rules are available including recently created Rules like “QR Code with suspicious indicators” and “Microsoft Brand Impersonation (QR Code)":
As usual, you can also detect HTML smuggling via attachments directly with binexplode(), like double Base64-encoded zip files in HTML attachments (observed to deliver Qbot, h/t
@ajpc500
@pr0xylife
):
Rule:
BinExplode docs:
ASR Rules are supported in all versions of
@sublime_sec
, so you can run this completely for free and host it on your own network, or use a Managed instance.
Get started here with Core (Free) or Enterprise:
In a rule written and shared by
@ajpc500
for a known Qbot technique, he detects both the html smuggled payload and Adobe brand impersonation using computer vision.
Payload + technique reference (h/t ):
Rule:
@BSidesNYC
welcomes
@sublime_sec
as a gold sponsor for our conference on April 22, 2023.
@sublime_sec
alleviates the pain of traditional black box email gateways with detection-as-code and community collaboration.
Attack Surface Reduction, or ASR, is all about mitigating the ways an attacker can conduct a successful attack.
If a certain behavior is not normal for your environment, you can block it by default and make exceptions when necessary for legitimate behavior.
Another one by
@ajpc500
, used to detect URL->Encrypted Zip->ISO payloads, also recently observed to deliver Qakbot.
Rule source:
Delivrto reference:
h/t
@pr0xylife
for the original research:
When an ASR Rule flags, you’ll see an alert in a new view called "Attack Surface Reduction."
Similar to Detection and Triage Rules, you can run this in alert-only mode or configure actions to run: Quarantine, Trash, Warning Banner, Webhook, Slack Alert, etc.
@sublime_sec
addresses these challenges in a few ways:
- Full control + transparency with Message Query Language (MQL). Alert only, or auto-remediate
- MQL can describe complex behavior, and threat hunting lets you verify efficacy
- Native integration w/ Google & Microsoft APIs
We’ve observed a new uptick in Microsoft QR Code + DocuSign phishing this morning. Decoded QR code leads to a Microsoft credential phishing page. The technique enables highly sus links like .ru and DNGs to land, which traditionally would likely be sent straight to spam by…
We’d love your input: how can we make these public Rule pages better? Are there other public pages you’d like to see from Sublime? Share in the thread below ⤵️
i am *begging* ya'll, deploy a free
@sublime_sec
instance to effectively block QR code attacks without impacting legit traffic. you can literally be up and running in production in minutes/hours, and you can self-host it.
🧵on our QR code detections + Platform setup
Use cases:
- Send flagged message events to your SOAR to trigger workflows, like analyzing attachments for malware
- Send flagged message events to your SIEM for analytics or correlation
- Trigger an AWS Lambda
The linkanalysis() MQL function now returns a list of files_downloaded, which can be passed to binexplode() for further analysis. The service uses a headless chrome browser to render the page’s DOM and return any smuggled files.
Docs:
These campaigns are legitimately from dropbox[.]com and pass sender authentication. The content of the attack is delivered via the comment section of the file share.
We've pushed targeted detection coverage here:
h/t
@samkscholten
Previously, Qakbot's unique delivery methods like the PDF > ZIP > WSF technique required a multi-layered approach for detection, as seen in this Sublime Rule:
Announcing arbitrary Webhook actions.
Write a rule to flag any type of behavior in your email environment, set it active on any or all of the mailboxes in your domain, and trigger a webhook notification to an arbitrary HTTP(S) endpoint.
Available to all free Platform users now.
For example: analyze the intent of the OCR'd content of a PDF file, inside a zip attachment, from a freemail sender your organization has never communicated with.
NLU function docs:
Sublime Rule Feeds enable you to quickly operationalize new detection rules for emerging threats from others in the community.
More info on how to add new Feeds like the
@delivr_to
Feed here (it only take a couple clicks!):
Given SVGs are a permitted attachment type in O365, and can be opened natively by browsers, they present a prime candidate for abuse⚠️
We've added a new
@sublime_sec
rule to our detections repo to detect SVGs with script blocks in them:
🧵4/5
Sublime puts email security directly into the hands of your security teams, enabling proactive defense against email threats through Detection-as-Code and behavioral AI functionalities.
Join
@_bromiley
(Lead Solutions Engineer at LimaCharlie) and
@jkamdjou
(Founder & CEO of…
You'll be guided through the rule creation process, utilizing Sublime and YARA, while dissecting faithfully reproduced malware in
@delivr_to
's payload collection.