The improvements to our message grouping algorithm help to reduce time searching for similar messages and overall median time to remediate (MTTR) for email attacks.

Attackers have tools that let them run large email attack campaigns with a click. To detect and prevent large scale campaigns efficiently, Sublime groups similar messages to cut down on noise and speed up remediation. Sublime presents those groups of messages throughout the dashboard in triage views and investigation workflows like Hunt and Search.

Campaign tactics have evolved over time, with attackers increasing variation per message to boost attack efficacy. To stay ahead of attackers, we overhauled our message grouping algorithm, expanding the fields and methods we use to identify similar messages. Not only does this update boost overall herd immunity, it also helps analysts triage attack campaigns faster.

The updated groups better detect variations across different parts of a message, allowing Sublime to group messages even if there are differences in the subject, sender address, body content, and more. Grouped messages then get the same remediation automatically, so if a single message in the group gets an Attack Score of malicious and sent to quarantine, the rest go to quarantine as well.

We’ll look at how we made these changes in a bit, but first, let’s look at some of the downstream benefits analysts can expect to see from the grouping enhancement.

Benefits for security analysts

Every minute counts during an investigation and enhanced message grouping helps security teams operate faster and more efficiently. Teams that centralize with a SOAR will see less alerts and investigations. Individual analysts will spend less time investigating attack campaigns and individual messages that weren’t auto-remediated. Let’s look at some highlights.

Prioritized reviews with context from the start

The additions of in-row message counts for message groups and total counts of message groups that match a given filter help analysts understand the full impact of an attack and where to start an investigation. For example, one attack with hundreds of targets may be handled differently than an attack with fewer targets.

Faster manual reviews on user reports

While Sublime automates user-report remediation, sometimes you need to investigate a report manually. Rather than manually performing numerous wildcard searches to find all messages in a campaign, the related messages are immediately accessible in a one-click panel.

Improved herd immunity

When a user reports one message in a campaign, Sublime can automatically remediate all messages in that campaign across all mailboxes that received it, even if the messages are slightly different. As individual messages are added to a message group, they’re also automatically remediated. So once an attack is caught in one inbox, it’s caught in all of them.

Reduced alert fatigue

Message grouping enhancements allow us to roll up more messages into fewer groups, meaning less alert fatigue. Fewer groups also means fewer webhooks sent, tickets opened, and email or Slack alerts fired.

Decreased false negatives and a wider net

Attackers will make a wide range of slight variations within their campaigns in the hope of slipping at least one message past security controls. Sublime’s enhanced message grouping uses those subtle differences to our advantage by treating them as similarities.

As an attacker sends out slight variations on a message across multiple mailboxes, Sublime runs Detection Rules against each message before grouping based on content. Grouping similar messages after individual analysis enables consistent remediation across every variation of the attack.

How we improved message grouping

In the early days of Sublime, message groups were strictly defined by hashing the contents of specific fields (subject, sender, header, etc.). If the hash was an exact match between two messages, they were in the same group. Over time, we realized how often messages were almost identical, and often they deviated in predictable ways. This was a risk to both alert fatigue and increased false negatives.

To make grouping resilient to predictable changes in fields, we performed preprocessing so that these changes could still group together. This involved things like cleaning up and normalizing links. By preprocessing each message, we increase the chances that two highly similar messages end up with the same hash, and thus the same group.

However, we knew that messages needed to also group together in unexpected ways that no amount of simple preprocessing alone could manage. Messages from the same campaign could have a different invoice number in the subject, different sender email address, and changes in body verbiage. We needed a way to determine the overall similarity of messages.

To enhance our grouping, we switched from a hash of the preprocessed message content, to instead breaking a message up into a set of many fragments. This allows us to use set similarity algorithms to efficiently calculate message similarity. Instead of comparing two hashes, we convert the messages to sets and then ask: How much do these sets overlap on a Venn diagram?  With some clever algorithms like MinHash, we’re able to detect messages that are highly similar to each other, even when spread out over time.

In a future engineering deep dive, we’ll go into the details of how we did this, so keep an eye out on the Sublime blog, X (Twitter), or Slack community.

Smarter grouping for stronger security

Our improved message grouping meaningfully reduces time spent searching for similar messages and improves the median time to remediate (MTTR) of email-originated incidents. The added context and correlation between messages allows analysts to investigate faster and build more efficiencies in the incident response process.

See how this feature and others work by starting a free instance of Sublime today – no MX changes required.

About the Author

About the Authors

Author headshot

AJ Williams

Product Manager

AJ is a Product Manager at Sublime. Prior to Sublime, she operated as a founding member of the Enterprise team at Stripe, where she launched an incident detection and alerting infrastructure.

Get the latest

Sublime releases, detections, blogs, events, and more directly to your inbox.

You're now subscribed. Expect a monthly email from us in your inbox.
Oops! Something went wrong while submitting the form.