On this page:
Sublime News
January 24, 2025
The improvements to our message grouping algorithm help to reduce time searching for similar messages and overall median time to remediate (MTTR) for email attacks.
Attackers have tools that let them run large email attack campaigns with a click. To detect and prevent large scale campaigns efficiently, Sublime groups similar messages to cut down on noise and speed up remediation. Sublime presents those groups of messages throughout the dashboard in triage views and investigation workflows like Hunt and Search.
Campaign tactics have evolved over time, with attackers increasing variation per message to boost attack efficacy. To stay ahead of attackers, we overhauled our message grouping algorithm, expanding the fields and methods we use to identify similar messages. Not only does this update boost overall herd immunity, it also helps analysts triage attack campaigns faster.
The updated groups better detect variations across different parts of a message, allowing Sublime to group messages even if there are differences in the subject, sender address, body content, and more. Grouped messages then get the same remediation automatically, so if a single message in the group gets an Attack Score of malicious and sent to quarantine, the rest go to quarantine as well.
We’ll look at how we made these changes in a bit, but first, let’s look at some of the downstream benefits analysts can expect to see from the grouping enhancement.
Every minute counts during an investigation and enhanced message grouping helps security teams operate faster and more efficiently. Teams that centralize with a SOAR will see less alerts and investigations. Individual analysts will spend less time investigating attack campaigns and individual messages that weren’t auto-remediated. Let’s look at some highlights.
The additions of in-row message counts for message groups and total counts of message groups that match a given filter help analysts understand the full impact of an attack and where to start an investigation. For example, one attack with hundreds of targets may be handled differently than an attack with fewer targets.
While Sublime automates user-report remediation, sometimes you need to investigate a report manually. Rather than manually performing numerous wildcard searches to find all messages in a campaign, the related messages are immediately accessible in a one-click panel.
When a user reports one message in a campaign, Sublime can automatically remediate all messages in that campaign across all mailboxes that received it, even if the messages are slightly different. As individual messages are added to a message group, they’re also automatically remediated. So once an attack is caught in one inbox, it’s caught in all of them.
Message grouping enhancements allow us to roll up more messages into fewer groups, meaning less alert fatigue. Fewer groups also means fewer webhooks sent, tickets opened, and email or Slack alerts fired.
Attackers will make a wide range of slight variations within their campaigns in the hope of slipping at least one message past security controls. Sublime’s enhanced message grouping uses those subtle differences to our advantage by treating them as similarities.
As an attacker sends out slight variations on a message across multiple mailboxes, Sublime runs Detection Rules against each message before grouping based on content. Grouping similar messages after individual analysis enables consistent remediation across every variation of the attack.
In the early days of Sublime, message groups were strictly defined by hashing the contents of specific fields (subject, sender, header, etc.). If the hash was an exact match between two messages, they were in the same group. Over time, we realized how often messages were almost identical, and often they deviated in predictable ways. This was a risk to both alert fatigue and increased false negatives.
To make grouping resilient to predictable changes in fields, we performed preprocessing so that these changes could still group together. This involved things like cleaning up and normalizing links. By preprocessing each message, we increase the chances that two highly similar messages end up with the same hash, and thus the same group.
However, we knew that messages needed to also group together in unexpected ways that no amount of simple preprocessing alone could manage. Messages from the same campaign could have a different invoice number in the subject, different sender email address, and changes in body verbiage. We needed a way to determine the overall similarity of messages.
To enhance our grouping, we switched from a hash of the preprocessed message content, to instead breaking a message up into a set of many fragments. This allows us to use set similarity algorithms to efficiently calculate message similarity. Instead of comparing two hashes, we convert the messages to sets and then ask: How much do these sets overlap on a Venn diagram? With some clever algorithms like MinHash
, we’re able to detect messages that are highly similar to each other, even when spread out over time.
In a future engineering deep dive, we’ll go into the details of how we did this, so keep an eye out on the Sublime blog, X (Twitter), or Slack community.
Our improved message grouping meaningfully reduces time spent searching for similar messages and improves the median time to remediate (MTTR) of email-originated incidents. The added context and correlation between messages allows analysts to investigate faster and build more efficiencies in the incident response process.
See how this feature and others work by starting a free instance of Sublime today – no MX changes required.
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.