Sublime Security @sublime_sec Twitter profile

Pinned Tweet

Sublime Security

17 days

Big news today! 🎉 Read more about our funding announcement and where we're headed next:

Announcing our $20M Series A to redefine email security

We’ve closed a $20M Series A investment led by Index Ventures. A reflection on how it all started, where we are today, and where we're headed.

sublime.security

Josh Kamdjou

@jkamdjou

17 days

I’m extremely excited to announce that @sublime_sec has raised a $20M Series A led by @indexventures with participation from @DAlperovitch I wrote about our journey from black box to open platform, and where we're headed:

23

37

147

2

9

34

Last Seen Profiles

@EvrydayFeminism

@esraordinaiiree

@NNovasaur

@J_BOOGIE_6

@USDwsoccer

@_GR3

@sara_lazz

@lyg90fq

@Aeropuerto_GYE

@GuNNeRAA1

@angelgfxo

@besVALORANT

@dc_lannon

@emperor_youtube

@sacred_heartps

@dalejomej

@jandakembangstw

@AhmdMhmd73713

@erumaaa_

@Al_Carlin

@Sykogeorgie

@tylerbuchner

@trfastenings

@BBK07boltscoach

@lNNeZiY7xH6VcwP

@AdemKayala94209

@FarOutFootball

@FCBRonit

@Ive_dis

@aceylaaris43867

@EMPRBoomin

@n_dbd_kuzu

@ao_yy_t

@memory_kanon

@polgara21

@Sandra137198021

Sublime Security

@sublime_sec

4 years

We've open sourced the lists we maintain and use primarily for phishing defense. Includes: - free email providers - free subdomain hosts - url shorteners - suspicious content - many more Contributions welcome.

GitHub - sublime-security/static-files: A collection of static files maintained by the Sublime...

A collection of static files maintained by the Sublime team, primarily used for phishing defense. - sublime-security/static-files

github.com

2

66

185

Sublime Security

@sublime_sec

1 year

Defenders know their environments better than anyone, but they haven't been able to truly capitalize on that knowledge in email — until today. Sublime Platform is now generally available. Deploy in minutes using Docker, for free.

Introducing Sublime: A new, open approach to email security

Sublime is the world’s first open email security platform that lets anyone write, run, and share rules in a universal domain-specific language (DSL) to block email-borne attacks, hunt for threats,...

sublime.security

1

30

80

Sublime Security

@sublime_sec

5 months

We've observed an increase in attackers abusing legitimate, high reputation services such as DocuSign to deliver callback phishing attacks. These are actual messages from DocuSign, and pass SPF/DKIM/DMARC. In the past, we've observed this via PayPal Invoice abuse and others.

3

34

79

Sublime Security

@sublime_sec

11 months

Sublime has observed an increase in QR code credential phishing attacks over the past several weeks. We've enabled a new scanner to decode QR codes embedded in message bodies or attachments, and pushed new coverage to prevent these attacks:

4

25

76

Sublime Security

@sublime_sec

7 months

It's been a busy week for QR code phishing, so @samkscholten put together a deep dive on how Sublime detects and decodes these email attacks with our open source rules:

5

14

61

Sublime Security

@sublime_sec

3 months

We've just released a rule to detect and prevent attempts to exploit the recent Outlook CVE-2024-21413: h/t @samkscholten

Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability

This rule detects messages containing links exploiting CVE-2024-21413, which can lead to RCE. Successful exploitation can bypass built-in Outlook pro...

sublime.security

1

17

53

Sublime Security

@sublime_sec

1 year

Announcing Whois enrichments: You can now block email messages from newly registered domains. Whois is available as a new MQL function, beta.whois(), so you can enrich any domain in the message including the sender, link domains, or domains found in attachments.

2

7

45

Sublime Security

@sublime_sec

5 months

We're excited to launch Attack Surface Reduction for email. On endpoints, app allowlisting leaves attackers with fewer ways to perform attacks. On networks, Secure Web Gateways can block outbound requests to new domains. Now, you can do the same in Microsoft 365 & Google 🧵

1

7

35

Sublime Security

@sublime_sec

1 year

New blog: @filar shares how Sublime uses Siamese Neural Networks, Object Detection, and other signals within MQL to identify credential phishing attacks.

Detecting Credential Phishing using Deep Learning + MQL

Learn how Sublime uses Siamese Neural Networks, Object Detection, and other signals within MQL to identify credential phishing attacks.

sublime.security

0

11

33

Sublime Security

@sublime_sec

1 year

You can now use MQL to detect HTML Smuggling attacks delivered via email body links. Detect+block+hunt for these techniques, recently observed to deliver Qakbot and other malware: - URL->Encrypted zip->ISO - URL->Zip->ISO->LNK - URL->Zip->IMG->VBS - and more How it works:

2

9

33

Sublime Security

@sublime_sec

5 years

We’re very excited to finally write about @emailrepio , a free API we released for querying email reputation. It’s been invaluable for #phishing defense and now supports reporting of malicious senders from trusted researchers and organizations.

EmailRep: Free API to query email reputation and report malicious senders

In the world of phishing defense, email reputation is an incredibly valuable, but often overlooked, piece of intelligence. While building Sublime [https://sublimesecurity.com], a detection and...

blog.sublimesecurity.com

0

24

32

Sublime Security

@sublime_sec

9 months

👋 In Chicago at #BlueTeamCon ? Come say hi to @ianthiel and @jkamdjou and grab some special edition RFC5322 swag!

0

7

31

Sublime Security

@sublime_sec

1 year

We're excited to launch Sublime Thoughts: our new Blog. Our first post features @rw_access introducing the magic behind Sublime: Message Query Language (MQL), the first universal DSL purpose-built for preventing email attacks, threat hunting, and more.

1

18

28

Sublime Security

@sublime_sec

8 months

Join our next Email Detection Engineering Workshop Sept 13! Get insights from @jkamdjou & @ajpc500 on the latest email threats and hunt for them in a lab environment. Register here:

Email Detection Engineering and Threat Hunting Workshop

Join us for our next hands-on email detection engineering workshop in a labs environment utilizing Sublime platform and YARA with reproduced malware in delivr.to's payload collection.

sublime.security

3

11

29

Sublime Security

@sublime_sec

9 months

almost time 👀

8

1

27

Sublime Security

@sublime_sec

5 months

We've released a new detection for an ongoing Pikabot campaign: This covers both behavioral detection of the delivery technique (Plaintext URL -> Archive -> JS) as well as IOCs in @abuse_ch URLhaus + MalwareBazaar h/t @affje0x65 @k3dg3 @samkscholten

Malware: Pikabot delivery via URL auto-download

This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive contain...

sublime.security

0

8

24

Sublime Security

@sublime_sec

7 months

Today we released public Rule pages for all Rules in the Sublime Core Feed! These pages make it easier to share Sublime Rules with your favorite security peers or team members.

1

11

24

Sublime Security

@sublime_sec

4 months

Sublime has observed credential phishing actors leveraging legitimate Dropbox infrastructure to deliver malicious links. In this sample, the actors also leverage a known callback phishing technique - Geek Squad impersonation (via a lookalike "GeekSupport" to avoid detection) -…

1

8

21

Sublime Security

@sublime_sec

6 months

We've observed an uptick in QR Code phishing attacks that impersonate a DocuSign message. The recipient's brand logo (blurred at the top of the message) is leveraged to bolster legitimacy. Scanning the QR Code takes users to a Microsoft credential phishing page. h/t…

1

11

20

Sublime Security

@sublime_sec

10 months

Excited to share that Founder/CEO @jkamdjou and @ajpc500 , Co-Founder of @delivr_to , will lead a @defcon workshop on email detection engineering & threat hunting! Get insights on how to defend against the latest techniques used to deliver QakBot/Emotet, BEC, HTML smuggling, +

1

11

20

Sublime Security

@sublime_sec

1 year

We've pushed a new detection/hunt rule live for this technique delivering Emotet, shoutout @samkscholten and @Cryptolaemus1 :

Cryptolaemus

@Cryptolaemus1

1 year

🚨Emotet Awakens🚨 As of 1200UTC Ivan finally got E4 to send spam. We are seeing Red Dawn templates that are very large coming in at over 500MB. Currently seeing a decent flow of spam. Septet of payload URLs and ugly macros. Sample: 1/3

2

110

201

1

9

19

Sublime Security

@sublime_sec

9 months

A teaser wouldn’t be a teaser if we showed the entire thing right? Follow @jkamdjou and @ianthiel during #DEFCON31 to find out where they’ll be to say hello and snag this year’s exclusive swag! 🧝‍♂️❤️‍🔥✉️

3

2

18

Sublime Security

@sublime_sec

1 year

Announcing job scam detection using our Natural Language Understanding (NLU) model. Our NLU model now supports a new intent classification, job scam, to detect messages that contain money-laundering, identity theft, or pay-to-work scams. New Feed Rule:

3

6

18

Sublime Security

@sublime_sec

7 months

We're excited to share Sublime now supports integration w/ Microsoft 365 tenants running in GCC and GCC High, Microsoft’s cloud platform for cleared personnel and orgs supporting the Dept of Defense.

1

2

17

Sublime Security

@sublime_sec

5 years

A look at how red teams and attackers craft an end-to-end spear phishing campaign, from start to initial access, from @jkamdjou #sublime #infosec #redteam #phishing

Red Team Techniques: Gaining access on an external engagement through spear-phishing

There have been a lot of posts about crafting red team phishing campaigns, and most are incomplete. Today, we're going to walk through one of our recent external engagements from start to initial...

blog.sublimesecurity.com

1

6

16

Sublime Security

@sublime_sec

2 months

New @tines_hq / @Anomali / @sublime_sec story just dropped. Collect data on threat actors from Anomali ThreatStream and block observables in mail flow using Sublime:

1

4

15

Sublime Security

@sublime_sec

1 month

Gotta Catch 'Em All: Detecting PikaBot Email Delivery Techniques. New writeup from @samkscholten :

Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques

This post will cover a brief background of PikaBot, and focus primarily on recently observed attack techniques and email detection methods.

sublime.security

0

6

16

Sublime Security

@sublime_sec

1 year

New blog from @filar : What makes BEC attacks hard to identify, and how Natural Language Understanding (NLU) + Message Query Language (MQL) can detect and prevent these threats at scale.

1

7

15

Sublime Security

@sublime_sec

5 months

Callback Phishing may seem like a low-level nuisance, but its impact can be quite devastating. We wrote about that here and documented our interactions with a scammer:

Call Me Maybe? The Rise of Callback Phishing Emails

Learn how callback phishing poses unique detection challenges and how Computer Vision techniques like Optical Character Recognition and Logo Detection can help guard against these advanced social...

sublime.security

Sublime Security

@sublime_sec

5 months

We've observed an increase in attackers abusing legitimate, high reputation services such as DocuSign to deliver callback phishing attacks. These are actual messages from DocuSign, and pass SPF/DKIM/DMARC. In the past, we've observed this via PayPal Invoice abuse and others.

3

34

79

0

5

14

Sublime Security

@sublime_sec

1 year

New detection rule live from @samkscholten for this recent Qakbot technique: Attachment archive with WSF file Deploy this now to block, or Hunt. For free.

proxylife

@pr0xylife

1 year

#Qakbot - azd - .zip > .wsf > (decoy .pdf) > .dll WScript.exe Adobe Cloud Certificate 133337.wsf rundll32.exe C:\ProgramData\Z6x9E9.SmcisaK,Wind Samples 👇 IOC's

3

34

122

0

4

12

Sublime Security

@sublime_sec

2 months

Sublime 🤝 Tines

Tines Labs

@tines_labs

2 months

Check out our latest @tines_hq story! Analysts alert users about their phishing reports via @sublime_sec , ensuring crucial feedback is provided. Stay posted for more! 👇

1

3

9

0

5

12

Sublime Security

@sublime_sec

4 months

Join us for the next detection workshop in two weeks! @jkamdjou and @ajpc500 will take you through the latest QR code and callback phishing attacks + how to hunt for them in a lab environment. Register here:

0

3

12

Sublime Security

@sublime_sec

10 months

Come check out our integration w/ @securityonion at the @BlackHatEvents 2023 Arsenal on Aug 9 at 10am PT!

Josh Kamdjou

@jkamdjou

10 months

. @securityonion <> @sublime_sec 🤝😤

4

28

1

7

12

Sublime Security

@sublime_sec

18 days

See you at RSAC 2024 in two weeks! Catch up with us on all things email security at: - booth 6184 in the North Expo - a jam session with @jkamdjou and @ianthiel - happy hour w/ our friends @limacharlieio and @runpanther Full details here:

0

4

12

Sublime Security

@sublime_sec

5 months

The Sublime Team is headed to London next week! 🎡 See you at @BSidesLondon on 9th Dec for @jkamdjou ’s talk on the latest social engineering techniques like QR code phishing and HTML smuggling:

1

3

12

Sublime Security

@sublime_sec

1 year

The latest from @samkscholten : Detecting recent QakBot initial access methods, including WSF and OneNote attachments, and generic attack surface reduction techniques.

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use...

sublime.security

1

8

12

Sublime Security

@sublime_sec

3 years

Announcing dynamic system lists. Sublime rules can now leverage basic historical context to answer questions like: - Has this sender's email address or domain ever contacted my organization before? - Has anyone in my organization contacted this sender's email or domain before?

1

2

11

Sublime Security

@sublime_sec

5 months

The sender's display name is also impersonated, and the attacker has control over the subject.

1

10

Sublime Security

@sublime_sec

8 months

ICYMI listen to @jkamdjou and @riskybusiness discuss all things email security and threats, advances in email detection engineering, ML/NLU, and more:

0

3

11

Sublime Security

@sublime_sec

3 months

Sublime Core & Enterprise users: next time you access the flagged messages alert queue, you’ll see an updated interface to expedite your triage actions and investigation workflow.

1

4

11

Sublime Security

@sublime_sec

5 months

PayPal invoicing abuse earlier this year:

Josh Kamdjou

@jkamdjou

1 year

We’ve seen these @sublime_sec quite a bit - they’re abusing a legit PayPal service/API so it’s actually coming from them and passing SPF/DMARC. A generic greeting without the user’s name is one of the dead giveaways

1

16

0

3

10

Sublime Security

@sublime_sec

7 months

Join us Oct 24 & 26 at our next Email Detection Engineering Workshop! @jkamdjou and @ajpc500 will take you through timely attack types and techniques like QR code phishing, HTML smuggling via links, and more while you hunt for them in a lab environment:

2

6

11

Sublime Security

@sublime_sec

3 years

New detection rule now live: name: "Malformed URL Prefix" source: | any(body.links, iregex_search(.href_url.url, ':/\\')) references: - Rule file:

Malformed URL Prefix Phishing Attacks Spike 6,000%

Sneaky attackers are flipping backslashes in phishing email URLs to evade protections, researchers said.

threatpost.com

0

2

10

Sublime Security

@sublime_sec

9 months

Our DEF CON 31 workshop may be full, but there are some spots still available @BSidesLV on Aug 9. Come hunt for various email attack types in a lab environment w/ @jkamdjou and @ajpc500 !

2

7

10

Sublime Security

@sublime_sec

1 year

Our blog has an RSS feed now:

2

1

10

Sublime Security

@sublime_sec

5 months

We pushed coverage for this technique when we initially saw it back in October:

Callback Phishing via DocuSign comment

This rule inspects messages originating from legitimate DocuSign infrastructure, with a DocuSign logo that match Callback Phishing criteria, in the bo...

sublime.security

1

2

10

Sublime Security

@sublime_sec

9 months

Cheers to a great threat takedown 🦆🔫 and all involved in “Disrupting the Duck”:

FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown | Federal Bureau of...

The FBI and the Justice Department announced a multinational operation to disrupt and dismantle the malware and botnet known as Qakbot.

www.fbi.gov

3

2

10

Sublime Security

@sublime_sec

1 year

Announcing historical message ingestion. Sublime now supports rapid ingestion of historical messages, making up to 30 days of message history available for immediate analysis and threat hunting and up to one year of historical context. More here:

0

3

9

Sublime Security

@sublime_sec

6 months

We released a new Natural Language Understanding (NLU) tag for advance fee fraud to identify BEC attacks requesting upfront payment in advance of receiving proceeds, money, stock, donations, and more. See how it works in this new Rule:

2

4

9

Sublime Security

@sublime_sec

11 months

[New @tines_io Story] Use threat intelligence from @RecordedFuture to automatically create detection rules in @sublime_sec and alert on new email attacks. Extend the story to automate blocking and retroactively hunt for new threat actor indicators:

Create Sublime Security rules using Recorded Future threat intel | Library | Tines

Use threat intelligence from Recorded Future to create detection rules in Sublime Security Get threat intelligence information from Recorded Future and create detection rules within Sublime Security...

www.tines.com

0

4

8

Sublime Security

@sublime_sec

3 years

@Andrew___Morris type.inbound and ilike(sender.display_name, "*Andrew Morris*")

1

0

8

Sublime Security

@sublime_sec

5 months

We're also teaming up again with @delivr_to for the IRL version of our Email Detection Engineering and Threat Hunting workshop:

Email Detection Engineering and Threat Hunting Bsides London 2023

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions,...

pretalx.com

1

6

Sublime Security

@sublime_sec

4 years

New or updated CFPs and events: @BSidesCHA event @BSidesSATX CFP @BSidesAMS event + CFP @BSidesAVL event @BSidesAustin event + CFP @BSidesBA event @BSidesBrussels CFP @bsidesbud event @BSidesCalgary event + CFP @BsidesDoha event @BSidesHOU event @BSidesIdFalls event

0

3

8

Sublime Security

@sublime_sec

1 year

Learn about the challenges of detecting Business Email Compromise (BEC) attacks and what makes them difficult for traditional security measures to identify. We'll explore how Natural Language...

sublime.security

0

1

7

Sublime Security

@sublime_sec

3 years

Announcing arbitrary Webhook actions. Write a rule to flag any type of behavior in your email environment, set it active on any or all of the mailboxes in your domain, and trigger a webhook notification to an arbitrary HTTP(S) endpoint. Available to all free Platform users now.

2

3

7

Sublime Security

@sublime_sec

5 years

How to block spam and phishing without spending a dime. 10 years worth of awesome tips and tricks from @reidbrokeit .

Blocking Spam and Phishing on a Budget

As an IT Director one of the questions I get asked the most is: how do you cut down the amount of spoofed email and spam landing in your employee inboxes?

blog.sublimesecurity.com

0

2

7

Sublime Security

@sublime_sec

3 years

We've pushed a new rule to detect this campaign and other open redirects using a similar pattern:

Microsoft Threat Intelligence

@MsftSecIntel

3 years

We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/?

3

223

389

0

1

7

Sublime Security

@sublime_sec

7 months

Sublime now offers an AWS CloudFormation template for self-managed deployment to Stockholm (eu-north-1), Canada (ca-central-1), Sydney (ap-southeast-2), and Zurich (eu-central-2)!

1

2

7

Sublime Security

@sublime_sec

1 month

Sublime is observing callback phishing campaigns leveraging tax-themed lures. These campaigns highlight how attackers continue to use seasonal and timely themes to trick unsuspecting users as the US tax deadline is only a week away. h/t @samkscholten

1

6

7

Sublime Security

@sublime_sec

7 months

BTW:

0

6

Sublime Security

@sublime_sec

11 months

Not us waiting for the talk date + time to get published 👀

Bobby Filar

@filar

11 months

Excited that my @BSidesLV talk has been accepted! I will be introducing BabbelPhish, our upcoming open source framework for text-to-code generation. I'll also show how @sublime_sec uses LLMs to make it easier for detection engineers to grasp our DSL.

2

6

31

0

1

5

Sublime Security

@sublime_sec

5 months

Sublime Enterprise users can now create a custom in-message warning banner to share org-specific content like security team contact info, how to report suspicious messages, and more.

2

1

6

Sublime Security

@sublime_sec

3 years

Examples: - Send HTML or Zip attachments from external domains to your SOAR, run them in @virustotal or @joe4security - Send links hosted on a free subdomain (like azurewebsites[.]net) to your SOAR and run them in @urlscanio to detect credential phishing

0

2

6

Sublime Security

@sublime_sec

5 months

Historically, it's been hard to do ASR in email for a few reasons: - Black boxes offer little customization or control - Users need to express complex behavior with minimal FPs - With the migration to Cloud email, there's even less control than a traditional mail filter

1

5

Sublime Security

@sublime_sec

1 year

Finally, here's another rule to detect URL -> {Archives} -> LNK, JS, or VBA file delivery. Since the initial file download is passed to binexplode(), this means LNKs can be detected several layers deep within archives. Rule source:

1

0

5

Sublime Security

@sublime_sec

9 days

If you're attending RSA next week: @filar will give a talk at our booth on Tues & Wed at 10:45am. Learn how explainable, transparent machine learning provides much-needed confidence and context in your triage workflow.

0

2

7

Sublime Security

@sublime_sec

7 months

Last chance to register for the workshop! See you tomorrow

Sublime Security

@sublime_sec

7 months

Join us Oct 24 & 26 at our next Email Detection Engineering Workshop! @jkamdjou and @ajpc500 will take you through timely attack types and techniques like QR code phishing, HTML smuggling via links, and more while you hunt for them in a lab environment:

2

6

11

0

2

5

Sublime Security

@sublime_sec

5 months

Here's a sample ASR Rule to detect inbound messages from newly registered sender domains that you’ve never spoken to before: type.inbound and beta.whois(sender․email.domain).days_old < 30 and not profile․by_sender().solicited

New sender domain (<=10d) from untrusted sender

Detects inbound emails where the sender domain is less than 10 days old from untrusted senders.

sublime.security

1

0

5

Sublime Security

@sublime_sec

3 years

Here's a simple detection rule to reduce attack surface from CVE-2021-40444 by alerting on .docx, .rtf, and .pptx attachments *from first-time senders*: type.inbound and any(attachments, .file_type in ('docx', 'pptx', 'rtf')) and sender[.]email[.]email not in $\sender_emails

1

2

4

Sublime Security

@sublime_sec

7 months

All Core Feed Rules are available including recently created Rules like “QR Code with suspicious indicators” and “Microsoft Brand Impersonation (QR Code)":

Brand impersonation: Microsoft (QR code)

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to ...

sublime.security

1

0

4

Sublime Security

@sublime_sec

1 year

As usual, you can also detect HTML smuggling via attachments directly with binexplode(), like double Base64-encoded zip files in HTML attachments (observed to deliver Qbot, h/t @ajpc500 @pr0xylife ): Rule: BinExplode docs:

0

4

Sublime Security

@sublime_sec

5 months

ASR Rules are supported in all versions of @sublime_sec , so you can run this completely for free and host it on your own network, or use a Managed instance. Get started here with Core (Free) or Enterprise:

Sublime Security | Get Started

Deploy and integrate a free Sublime instance in minutes!

sublime.security

0

4

Sublime Security

@sublime_sec

5 months

Josh Kamdjou

@jkamdjou

5 months

@SwiftOnSecurity this has been popping off hard today (trend for Callback Phishing via DocuSign comment: )

0

6

0

4

Sublime Security

@sublime_sec

1 year

In a rule written and shared by @ajpc500 for a known Qbot technique, he detects both the html smuggled payload and Adobe brand impersonation using computer vision. Payload + technique reference (h/t ): Rule:

1

3

4

Sublime Security

@sublime_sec

3 months

ICYMI hear @jkamdjou discuss all things QR code phishing and detection on this week's Risky Business:

Patrick Gray

@riskybusiness

3 months

This week’s episode of Risky Business is now out, featuring @Metlstorm , @TimWattsMP and @jkamdjou

1

18

2

3

4

Sublime Security

@sublime_sec

1 year

Come hang out with us @BSidesNYC !

#BSidesNYC

@BSidesNYC

1 year

@BSidesNYC welcomes @sublime_sec as a gold sponsor for our conference on April 22, 2023. @sublime_sec alleviates the pain of traditional black box email gateways with detection-as-code and community collaboration.

0

1

0

3

4

Sublime Security

@sublime_sec

5 months

Attack Surface Reduction, or ASR, is all about mitigating the ways an attacker can conduct a successful attack. If a certain behavior is not normal for your environment, you can block it by default and make exceptions when necessary for legitimate behavior.

1

0

4

Sublime Security

@sublime_sec

1 year

Another one by @ajpc500 , used to detect URL->Encrypted Zip->ISO payloads, also recently observed to deliver Qakbot. Rule source: Delivrto reference: h/t @pr0xylife for the original research:

proxylife

@pr0xylife

1 year

#Qakbot - BB06 - url > .zip > .img > .vbs > .dll Wcript.exe C:\Users\**\AppData\Local\Temp\CV.vbs regsvr32.exe emanated\nissan.tmp Samples 👇 IOC's

3

33

87

2

1

4

Sublime Security

@sublime_sec

5 months

When an ASR Rule flags, you’ll see an alert in a new view called "Attack Surface Reduction." Similar to Detection and Triage Rules, you can run this in alert-only mode or configure actions to run: Quarantine, Trash, Warning Banner, Webhook, Slack Alert, etc.

1

0

2

Sublime Security

@sublime_sec

5 months

@sublime_sec addresses these challenges in a few ways: - Full control + transparency with Message Query Language (MQL). Alert only, or auto-remediate - MQL can describe complex behavior, and threat hunting lets you verify efficacy - Native integration w/ Google & Microsoft APIs

1

0

3

Sublime Security

@sublime_sec

7 months

@ScottMcGready we’ve been seeing *a lot* of it ITW:

Josh Kamdjou

@jkamdjou

8 months

We’ve observed a new uptick in Microsoft QR Code + DocuSign phishing this morning. Decoded QR code leads to a Microsoft credential phishing page. The technique enables highly sus links like .ru and DNGs to land, which traditionally would likely be sent straight to spam by…

3

80

185

0

3

Sublime Security

@sublime_sec

7 months

We’d love your input: how can we make these public Rule pages better? Are there other public pages you’d like to see from Sublime? Share in the thread below ⤵️

1

0

3

Sublime Security

@sublime_sec

9 months

More details on the history of Qakbot and this type of multi-layered defense from @samkscholten ’s blog post:

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use...

sublime.security

0

1

3

Sublime Security

@sublime_sec

7 months

It's free to set up and will only take you minutes -

Josh Kamdjou

@jkamdjou

7 months

i am *begging* ya'll, deploy a free @sublime_sec instance to effectively block QR code attacks without impacting legit traffic. you can literally be up and running in production in minutes/hours, and you can self-host it. 🧵on our QR code detections + Platform setup

4

37

177

1

0

3

Sublime Security

@sublime_sec

4 years

We've updated the repo to include descriptions of each file:

0

3

Sublime Security

@sublime_sec

3 years

Use cases: - Send flagged message events to your SOAR to trigger workflows, like analyzing attachments for malware - Send flagged message events to your SIEM for analytics or correlation - Trigger an AWS Lambda

1

0

3

Sublime Security

@sublime_sec

5 months

To create your own ASR Rules, simply add the “Attack surface reduction” Tag to your Rule. Check out these Core Feed Rules for some inspiration:

1

0

3

Sublime Security

@sublime_sec

1 year

The linkanalysis() MQL function now returns a list of files_downloaded, which can be passed to binexplode() for further analysis. The service uses a headless chrome browser to render the page’s DOM and return any smuggled files. Docs:

1

0

3

Sublime Security

@sublime_sec

4 months

These campaigns are legitimately from dropbox[.]com and pass sender authentication. The content of the attack is delivered via the comment section of the file share. We've pushed targeted detection coverage here: h/t @samkscholten

Credential Phishing via Dropbox comment abuse

This rule detects Credential Phishing attacks exploiting familiar brands via Dropbox comments. These attacks originate from legitimate Dropbox infrast...

sublime.security

0

1

2

Sublime Security

@sublime_sec

3 months

…and more updates to make triage more efficient. We’re also rolling out an updated backtesting and Hunt triage queue soon.

1

0

2

Sublime Security

@sublime_sec

9 months

Previously, Qakbot's unique delivery methods like the PDF > ZIP > WSF technique required a multi-layered approach for detection, as seen in this Sublime Rule:

Attachment: Archive with pdf, txt and wsf files

Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1

sublime.security

1

0

2

Sublime Security

@sublime_sec

3 years

Or send a webhook to your favorite SOAR for further investigation:

Sublime Security

@sublime_sec

3 years

Announcing arbitrary Webhook actions. Write a rule to flag any type of behavior in your email environment, set it active on any or all of the mailboxes in your domain, and trigger a webhook notification to an arbitrary HTTP(S) endpoint. Available to all free Platform users now.

2

3

7

1

2

Sublime Security

@sublime_sec

5 months

DM us if you still need a ticket! We have a few remaining to share with y'all.

0

2

Sublime Security

@sublime_sec

9 months

@Jhaddix @MiscreantsHQ

0

2

Sublime Security

@sublime_sec

1 year

For example: analyze the intent of the OCR'd content of a PDF file, inside a zip attachment, from a freemail sender your organization has never communicated with. NLU function docs:

Enrichment functions

MQL is highly extensible and can integrate virtually any tool or service to build better detection rules.📘Request a function!Don't see a function you want? Let us know via email or Slack!beta.mess...

docs.sublimesecurity.com

1

0

2

Sublime Security

@sublime_sec

11 months

Sublime Rule Feeds enable you to quickly operationalize new detection rules for emerging threats from others in the community. More info on how to add new Feeds like the @delivr_to Feed here (it only take a couple clicks!):

Rule Feeds

Overview Git-backed rule feeds let you receive rule updates and new Sublime rules directly in your dashboard from both the Sublime team and the entire Sublime community.To view and manage rule feeds,...

docs.sublimesecurity.com

delivr.to

@delivr_to

11 months

Given SVGs are a permitted attachment type in O365, and can be opened natively by browsers, they present a prime candidate for abuse⚠️ We've added a new @sublime_sec rule to our detections repo to detect SVGs with script blocks in them: 🧵4/5

1

5

0

3

2

Sublime Security

@sublime_sec

10 months

Details on our session w/ @therealwlambert :

0

1

2

Sublime Security

@sublime_sec

2 months

Join us in 20 min:

Integrated Email Security with LimaCharlie + Sublime Security

With LimaCharlie, we believe that security capabilities should enable and empower the teams that use them. Email security is here to stay as a necessary component to the modern security stack....

limacharlie.wistia.com

LimaCharlie

@limacharlieio

2 months

Sublime puts email security directly into the hands of your security teams, enabling proactive defense against email threats through Detection-as-Code and behavioral AI functionalities. Join @_bromiley (Lead Solutions Engineer at LimaCharlie) and @jkamdjou (Founder & CEO of…

0

3

0

2

Sublime Security

@sublime_sec

7 months

You'll be guided through the rule creation process, utilizing Sublime and YARA, while dissecting faithfully reproduced malware in @delivr_to 's payload collection.

1

0

1