This project is provided "as-is" without any guarantee of updates or maintenance. Please note that some samples included may contain malicious links or attachments. By using this repository, you agree to handle all materials responsibly and understand the associated risks. The authors are not liable for any misuse or consequences resulting from the use of this project.
Email remains one of the most common cyberattack vectors, making email threat hunting a vital skill for security professionals. While tools like secure email gateways and provider-level protections (e.g., Office 365, Google Workspace) catch obvious threats, advanced phishing, spoofing, and sophisticated attacks often slip through.
Sublime Security enhances your detection capabilities with robust features, including organizational context, historical insights, and behavioral baselines; offering significantly more than standard EML analyzers. With Sublime, you get:
- A 30-day historical data ingestion, paired with a 14-day free Enterprise trial, for a comprehensive 44-day analysis window
- A free managed tier for up to 100 mailboxes, ideal for smaller organizations or a representative subset of critical/highly targetted user mailboxes
- Free self-managed deployments are available via Docker (600 mailboxes), AWS CloudFormation, and Azure ARM
By the end of this workshop, you’ll learn how to:
- Use Sublime's Message Query Language (MQL)
- Proactively identify and respond to email threats with hands-on examples
- Continue hunting with additional resources and Detection Rules based on the examples in this workshop
➡️ Quickly analyze suspicious emails with the EML Analyzer
- What it does: Parses and enriches raw email messages into a structured schema, the Message Data Model (MDM), and runs detection rules using Sublime's MQL
- What it’s for: Investigate suspicious or user-reported emails without needing full platform integration
For advanced analysis with added organizational context, follow the Advanced Setup below.
- Active subscription to Office 365 or Google Workspace
- Administrator access to your organization's email environment
- A Sublime account (Sign up here)
- Log in to the Microsoft Office Admin Console.
- Follow the link here, or continue with the step-by-step setup guide inside of Sublime: Installation for Office 365.
- Navigate to Admin → Message Sources in Sublime and add a new message source.
- Approve the Graph API Connector to establish the connection.
- Log in to the Google Workspace Admin Console.
- Follow the link here, or continue with the step-by-step setup guide inside of Sublime: Installation for Google Workspace.
- Navigate to Admin → Message Sources in Sublime and add a new message source.
- Complete the connection by adding the private Google Workspace Marketplace App here.
Once connected, Sublime is ready for comprehensive email threat hunting.
How-To MQL Guides
Additional Learning Resources
CISA Secure Cloud Business Applications (SCuBA) Project
Start with the most broad query that will flag on your example. Sometimes a complex rule is needed for a specific scenario, but often the best rule, is the most simple you can get away with!
Use existing rules in the Sublime Core Feed or strings from Common snippets to fit the conditions you are attempting to flag on.
Practice threat hunting with these scenarios. Use the hidden solutions to verify your work only after attempting the queries. I will give what I think is good detection logic, but there will always be more than 1 correct answer as you may see a different way forward!
Example 1: DIRECT DEPOSIT CHANGE -- Download Sample .eml Here
Payroll fraud involving employee spoofing occurs when an attacker impersonates an employee to request changes to their direct deposit details, diverting funds to the attacker’s account. This is typically done through phishing emails, social engineering, or forged documents. It can result in financial loss, employee distress, and reputational damage if not promptly detected and mitigated.
Hint
Consider creating a string or regex detection for some of the keywords present in the subject or body text.Solution
type.inbound
and 1 of (
regex.icontains(body.current_thread.text,
'(pay\s?(roll|check|date|day)|direct deposit|\bACH\b|\bdd\b|gehalt|salario|salary)'
),
regex.icontains(subject.subject,
'(pay\s?(roll|check|date|day)|direct deposit|\bACH\b|\bdd\b|gehalt|salario|salary)'
),
// request
(
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// financial
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
)
)Example 2: Jamie sent you a file -- Download Sample .eml Here
Attackers exploit free form submission and collaboration tools like Google Drawings to conduct chainlink phishing attacks by hosting malicious content on these trusted platforms. They craft phishing emails that direct recipients to seemingly legitimate documents or graphics hosted on services like Google Drawings, which contain embedded malicious links. This strategy leverages the inherent trust in well-known platforms to bypass security filters and deceive users into clicking on harmful links, leading to credential theft or malware installation.
Hint
Free form submission and collaboration tools are often used for chainlink phishing. In this case, the attacker appears to be using a fake image in a Google drawing. Can you detect for the use of a Google drawings link or current thread text?Solution
type.inbound
and (
strings.icontains(body.current_thread.text, "docs.google.com/drawings/")
or any(body.links,
strings.ilike(.href_url.url, "*docs.google.com/drawings/*")
)
)Example 4: One pkg to rule them all -- Download Sample .eml Here
Malicious OneNote files are used in phishing emails to deliver malware by embedding malicious scripts or links within the file. These emails often impersonate trusted contacts or organizations to trick users into opening the file and triggering the malware. This can lead to further phishing, device compromise, data theft, or the spread of ransomware.
Hint
Try to create a detection looking for the presence of a onenote file.Solution
type.inbound
and (
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.),
.depth > 0
and .file_extension in~ (
"onenote", // Microsoft OneNote notebook file
"one", // Microsoft OneNote section file
"onepkg", // Microsoft OneNote package file
)
)
)
or any(attachments,
.file_extension in~ (
"onenote", // Microsoft OneNote notebook file
"one", // Microsoft OneNote section file
"onepkg", // Microsoft OneNote package file
)
)
)Example 5: eMail Account Suspention Notice -- Download Sample .eml Here
Newly registered domains (NRDs) are often used in malicious email attacks because they are unlikely to be flagged by security systems due to their lack of history or reputation. Attackers use these domains to impersonate trusted organizations, send phishing emails, or host malicious content, such as fake login pages or malware. Their short lifespan and ability to bypass filters make NRDs a powerful tool for delivering credential theft and malware attacks.
Hint
Consider the insights that triggered here. Can you create a detection with whois data for a domain that is less than 30 days old?Solution
type.inbound
and any(body.links, network.whois(.href_url.domain).days_old <= 30)Example 6: Ajith Babu Salary New Bonus 2024-2025.pdf -- Download Sample Here
For this sample you'll need to build an .eml with the Sublime analyzer. I've predownloaded the file so that it will remain available. Once you have the .zip file of the malware sample downloaded, extract the PDF contained. Using the Sublime EML Analyzer, "Build an EML", and add the PDF as an attachment. Sample (pw = infected)
Fake PDF files with malicious links are used in phishing attacks to trick recipients into clicking links that lead to credential theft or malware downloads. These files are often disguised as legitimate documents from trusted sources, exploiting the perceived safety of PDFs to bypass user suspicion. This threat highlights the importance of scrutinizing unexpected attachments and using advanced email security to detect malicious activity.
Hint
Explore the screenshots of the PDF file being executing in JoeSandbox as well as the insights and links. Solution
type.inbound
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.path, '\.(?:html|xhtml|shtml|htm|)\b')
)
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft"
and .confidence in~ ("medium", "high")
)
)
)Example 7: Сhеϲk Νеԝ Αdjυѕtⅿеntѕ Rеⅼеаѕеd! Rеvіеԝ аnd ϲⅼаіⅿ уουr Βеnеfіt/Βοnυѕ fοr Μаіⅼοnⅼіnе Αϲtіvіtіеѕ 4th Qυаrtеr - ΙуΝՍRᏙhՍΤⅼᏙΝՍkFΟRΕ9ΝΟᎠΑjΙԝ== -- Download Sample Here
This is a great example of responding to OSINT by hunting, then creating a new detection. This was performed by the Sublime team just a few hours after the technique was observed in the wild!
I've predownloaded the file so that it will remain available. Once you have the .zip file of the malware sample downloaded, extract and upload to the Sublime EML Analyzer. Sample (pw = infected)
Attackers use intentionally corrupted Word documents in phishing emails to evade security filters. When recipients attempt to repair the document, malicious content is executed, enabling credential theft or malware installation. This tactic exploits trust in document recovery features to increase attack success.
🎉 Congratulations! You've completed the "Advanced Email Threat Hunting w/ Detection as Code" workshop. Use your newly aquired skills and go catch some bad guys. Happy hunting!
Detection Rules based on the examples in this workshop
Add this repo as a "Feed" in Sublime as an alternative to manually hunting with each rule individually.