Message Data Model (MDM)
Organization Users

Sublime Early Access Docs

Welcome to Sublime Early Access. Our goal is to shift the balance of power in email security from attackers to defenders. To do this, we’re creating an open, adaptable platform that gives you full control over your email environment, and lets anyone respond to new forms of phishing attacks by building and subscribing to detections from others in the community.

Sublime is a platform aimed at (but not limited to) helping security professionals alert and quarantine suspicious messages entering their email environment. With Sublime you can define attack behavior as well as target specific IOCs with simple, human-readable rules. Each of these rules consists of statements and boolean expressions which determines its logic. Let’s see a few examples:

Rule: gift_card_scam

&& < `90`
&& contains(body.text, [`gift card`, `surprise`, `errand`, `help`, `text me`, `email me back`])

The above rule is telling Sublime that any inbound message where the sender is newer than 90 days and the body contains certain strings should be flagged gift_card_scam. This is just a simple example, more complex and powerful rules can be created by using functions, list iterations, regular expressions, and many other features that you’ll find explained in this documentation. Let’s see some more advanced examples:

Rule: office365_suspicious_app_authorization_link

&& contains(
	body.urls[? href_domain.domain == `` ].query_params,
	[`offline_access`, `.readwrite`, `.read`]

Rule: possible_apt_29_free_file_sharing_link

&& contains(headers.x_originating_ip.country_code, [`RU`, `CN`, `IR`, `KP`, `UA`, `NG`])
&& free_file_host(body.urls[].href_domain.domain) 
&& free_email_provider(

Engine overview

PQL rules (or detections) are the core building blocks of the Sublime platform. When a message comes into your email environment, it is tokenized, then enriched to create the Message Data Model, or MDM. Rules that are deployed and set active in your environment are then run against the MDM, and if they flag, any number of actions are executed, such as an email or SIEM alert.