Introduction

Sublime is a programmable, AI-powered, cloud email security platform for Microsoft 365 and Google Workspace environments. IMAP and APIs for direct ingestion are also supported.

Use the Sublime Platform to:

• block email attacks such as phishing, BEC, and malware
• threat hunt
• auto-triage user reports

At its core, Sublime is a rules engine that ingests email messages from arbitrary sources, evaluates them using a powerful query language, and then takes any number of actions like quarantining a message, generating a webhook notification, or inserting a warning banner. Below is an example of a simple rule:

name: HTML smuggling via attachment
severity: high
source: |
  type.inbound
  and any(attachments, .file_extension in~ ('html', 'htm') 
          and any(file.explode(.),
                  any(.scan.javascript.identifiers, . == "unescape")
          )
  )
tags:
  - "HTML smuggling"