Documentation

Email bomb protection

Suggest Edits

Overview

Email bombs are attacks where adversaries flood a targeted mailbox with a high volume of messages to overwhelm, divert attention, evade security, or gain access. Attacks can come in a variety of shapes and sizes, with common themes being subscription-based or spam messages and volume ranging anywhere from 500 to 500,000+ messages.

Detection

Sublime’s email bomb protection automatically looks for sustained spikes in the number of emails received by a mailbox. Detection of these events happens without user-input, which means that we find the problem and surface it in your instance without manual inputs.

Auto-remediation

Once a bomb is identified, Sublime’s Automations can sort through the messages within the bomb to identify the noise from the attacker, internal messages that happened to land amidst the bomb, and other messages that were not part of the attack. By assigning Actions to Automations, you can auto-remediate the attacker’s messages without disrupting any other mail.

Actions applied to email bomb messages only impact those messages — if the message is part of a larger message group, the Action will apply to the messages from the email bomb without impacting the rest of the group.

Sublime has a default Automation to identify unwanted mail from the email bomb:

This Automation finds the attacker’s messages and moves them to spam so your mailboxes can look through the bomb as-needed.

You can also create any number of custom Automations with the trigger email bomb detected.

Triage

Email bombs are sorted using Automations, which helps for differentiation between legitimate mail and the attacker’s messages. Once you have an email bomb in your environment, reviewing it is easy:

  • Head to the Email Bombs page, which contains a list of all email bombs found in your environment
  • Open up the bomb in question
  • Check out the histogram for more information about the timeline of the attack
  • Use the list of messages to review the contents of the bomb:
    • All: all messages that landed during the attack, including all the attacker’s messages and any other messages that landed during the attack
    • Not remediated: messages that were found during the timeline of the attack that have not been remediated yet. When the default Sublime Automation is on, this bucket of messages represents mail that needs review before remediation is applied.
    • Remediated: messages that were found during the timeline of the attack that have been remediated, either automatically or manually. When the default Sublime Automation is on, this bucket represents mail that is likely part of the bomb and does not require review.
  • When you’re ready, mark the bomb as reviewed so other analysts in the platform know that the bomb has been mitigated and reviewed by the security team!

Updated about 13 hours ago