Overview

The Message Data Model (MDM), or MDM, is one of the core building blocks of the Sublime system. It is a structured data model representation of an email message designed to make rule writing predictable, easy, and intuitive.

Let's take a look at how a raw email message gets transformed into an MDM.

First, download the message here.

View the contents of the raw message:

head impersonation.eml

Output:

View the sender of the email:

grep 'From:' impersonation.eml

Output:

From: Joshua Kamdjou <[email protected]>

Create a Message Data Model

Now, let's create an MDM from our raw EML.

Install the Sublime CLI:

pip3 install sublime-cli

Now, let's create the MDM:

sublime create -i impersonation.eml

Output:

Output saved to impersonation.mdm

The MDM is stored as a JSON object, and organizes the message into distinct hierarchical objects that make it easy to find what you're looking for in a message. For example, to view the sender of the message, just output the top-level sender object using an MQL query (more on that later):

sublime analyze -i impersonation.mdm -q sender

Output:

╔═══════════════════════════╗
║          Results          ║
╚═══════════════════════════╝

File Name: impersonation.mdm

Total Rules: 0
Total Queries: 1

QUERIES

  - Query 1
    Result: {
      "display_name": "Joshua Kamdjou",
      "email": {
        "email": "[email protected]",
        "local_part": "joshkamdjou90",
        "domain": {
          "domain": "gmail.com",
          "root_domain": "gmail.com",
          "sld": "gmail",
          "tld": "com",
          "valid": true
        }
      }
    }

Instead of an unformatted string, the sender object is tokenized and designed to make rule writing easy!

You can view the other objects of the MDM anytime using the Message Data Model (MDM) reference.

In the next tutorial, we'll learn how to use this information to write a rule for this impersonation attack.