Search Results

Before I start!!!! 💡 Credit where it’s due: This insight comes straight from J , one of the sharpest call investigators and my dearest friend!!. He’s been running into this exact phishing method a lot  lately in real investigations — because when the bad guys get creative, he’s usually the one who catches them. J also happens to run one of the best MDR services  I’ve seen — staffed with top-tier people, handling a serious volume of clients without breaking a sweat. And no, this isn’t a sales pitch — just the truth. But if you are  looking for an MDR service that actually knows how to handle incident response and forensics like pros, let me know. I’ll make sure you get connected to J directly… assuming he’s not too busy catching the next cybercriminal. --------------------------------------------------------------------------------------------------------- Alright, let me tell you about something J is seeing every single day  with his clients.These guys are constantly  getting phished — and the attackers aren’t even using anything exotic.They’re just… smart. Here’s the play-by-play. Step 1 — The Hacker’s Head Start The attacker doesn’t even need to create  a fake Microsoft account. Nope. They just buy or steal a real  one . Could be from the dark web, could be from an old breach, could be some poor guy’s account that got keylogged — doesn’t matter. Why is this important? Because that account is already trusted . It has Microsoft’s blessing. Security tools look at it and go, “Yep, that’s fine.” Step 2 — The “Perfectly Safe” Email So now the attacker sends our victim an email that says: "Hey, a document’s been shared with you on SharePoint." That’s it. No misspellings. No sketchy links. Just a real sharepoint.com link. Microsoft loves it. Barracuda loves it. Proofpoint loves it. Why wouldn’t they? It’s literally a Microsoft domain. Step 3 — Playing by Microsoft’s Rules The victim clicks the link and lands on… the real  SharePoint site. Microsoft says, “Hey, please type in your email so we can send you a one-time code.” The victim does exactly that.They get the code. They put it in. Boom — document opens. Everything so far is 100% legit. Even the security guys monitoring the logs would shrug. Step 4 — The Trap Inside the Doc Now comes the actual  payload. Inside that innocent-looking document is a link — but not just any link. It’s to a real Adversary-in-the-Middle (AiTM)  phishing site.Think of it like a sneaky mirror: you see Microsoft’s login page, but it’s secretly passing everything you type straight to the attacker. And here’s the killer part — it doesn’t just grab your username and password.It also snatches your MFA session cookie . That means even if you’ve got multi-factor authentication, the attacker can log in as you  without ever touching your phone. Why Security Tools Don’t Stand a Chance The phishing link never appeared in the email. It was hiding inside a document on Microsoft’s own servers. That means: Microsoft Defender for Office 365?  Nope — only saw a SharePoint link. Barracuda / Proofpoint / Mimecast?  Nope — nothing malicious in the email. Sandboxing?  Nope — the document doesn’t “run” anything bad, it just sits there with a clickable trap. By the time the victim clicks the malicious link, they’re already deep inside a trusted Microsoft session. Why This Works So Well Let’s break it down: It rides on Microsoft’s good reputation  — users and tools both trust it. The flow feels familiar  — the victim does the real  SharePoint steps before anything bad happens. The bad link is invisible  until after the secure login. MFA is useless  — because session cookies don’t care about your code. How to Fight Back (If You’re Defending) If you think this is just a “train your users” thing — you’re already halfway lost. Yes, awareness training helps, but you also need: Conditional Access Rules  – Don’t let logins happen from weird countries or impossible travel times. Cloud App Security  – Scan files in SharePoint/OneDrive for links to dodgy domains. External Sharing Limits  – Only allow shares from trusted domains. Live Session Monitoring  – Look for suspicious cookie reuse. Report Button  – Encourage users to flag any  document share they weren’t expecting. Why Red Teams Love This From a red team perspective, this is chef’s kiss: The email looks perfect. The infrastructure is Microsoft’s — no sketchy domains to register. The social engineering is minimal. MFA is just… irrelevant. The Takeaway The scariest part? The attacker doesn’t break  Microsoft security — they use it against you . If you’re defending, remember this: the danger isn’t just in the link your filters see. It’s in what happens after the click . ---------------------------------------Dean/J----------------------------------------

When people think of Incident Response (IR), they usually imagine technical skills—reverse engineering malware, parsing logs, or hunting persistence mechanisms. And yes, those skills matter. But the truth is, a successful large-scale IR effort depends on much more than raw technical expertise . Over the years, responders have identified several principles that consistently make the difference between chaotic firefighting and a controlled, effective response. -------------------------------------------------------------------------------------------------------- The Five Pillars of Incident Response Preparedness  – Incidents are inevitable, but failure doesn’t have to be. Being prepared means more than just having tools. It means having documented procedures, rehearsed playbooks, and a team that has trained together before the crisis hits. Collaboration  – Rarely is IR a one-person show. Real-world response efforts require coordination across internal teams, external partners, law enforcement, and sometimes even regulators. Good communication channels and collaboration tools are just as important as your EDR. Speed  – Time is critical. The longer attackers stay inside your environment, the greater the damage. IR teams must respond quickly and decisively to contain and minimize the impact. Flexibility  – No plan survives first contact with the adversary. Attackers pivot, escalate, and innovate in real time. Your IR team needs to adapt —whether that’s changing tactics mid-investigation or bringing in new expertise on the fly. Continuous Improvement  – Every incident is a learning opportunity. Post-incident reviews help refine playbooks, close visibility gaps, and strengthen your team for the next challenge. ------------------------------------------------------------------------------------------------------------- Turning Principles into Practice Those high-level principles sound great, but how do they translate into day-to-day work? In practice, a strong IR team must develop certain core capabilities : Visibility  – You can’t fight what you can’t see. Efficiency  – Resources are always limited. Use them wisely. Technical skills  – Deep knowledge of systems, networks, and malware is non-negotiable. Documentation  – Keeps the team aligned and prevents wasted effort. Soft skills  – Negotiation, communication, and leadership are the glue that holds the team together. Of these, visibility  is arguably the most fundamental. ------------------------------------------------------------------------------------------------------------- Why Visibility is the Bedrock of IR Think of visibility as the lens through which you view an incident. Without it, you’re responding blind. There are two key dimensions: How much of the environment do you see? For example, if a subsidiary network is connected but invisible to your monitoring tools, that’s a visibility gap. How deeply can you see into each endpoint or system? Maybe your EDR doesn’t scan live memory with YARA rules, or maybe a rootkit is fooling your tools. Those are also visibility gaps. Here’s the catch: great vertical visibility is useless if you only cover 50% of the machines. Likewise, wide coverage with shallow visibility leaves critical blind spots.  You need both. ------------------------------------------------------------------------------------------------------------- Real-World Lessons In one large-scale case, responders investigated 10,000 endpoints. Out of that massive population, attackers only touched 50 machines. That’s less than 0.1%. Without strong visibility, you’d never find them. And attackers are clever: They may stage ransomware in unexpected directories. They may move laterally using RDP, leaving subtle profile timestamps behind. They may hide malware only detectable with memory-based YARA scans. They may leave behind artifacts in RDP bitmap caches, which can be recovered with the right tools. The point is simple: visibility determines whether you can even ask the right questions  during an investigation. ------------------------------------------------------------------------------------------------------------- Always-On vs. On-Demand Visibility There are generally two approaches: Always-on visibility  – Continuous data collection via logging (Sysmon, NetFlow, EDR telemetry). On-demand visibility  – Point-in-time forensic acquisitions triggered when needed. Most organizations blend the two. What matters is recognizing where your gaps are and making sure your tools—and team—are capable of filling them. ------------------------------------------------------------------------------------------------------------- A Mindset Shift Some organizations limit themselves by defining investigations based only on what their tools already provide. That’s the easy way, but it’s short-sighted. A stronger approach is to start with the questions you need answered —then push your tools (or build new ones) to deliver the data. That mindset drives the industry forward and closes detection gaps. “Don’t let your tools define your visibility. Let your visibility requirements define your tools.” ------------------------------------------------------------------------------------------------------------- Closing Thoughts Visibility is the first battlefield in IR. Without it, attackers roam freely in the shadows. With it, your team has the context, evidence, and confidence to make informed decisions. But visibility is only one piece of the puzzle.

I never thought I’d write this article. This isn’t a motivational speech or a “5 steps to success” kind of blog. This is my story  — honest, emotional, and something I hope breaks a few myths many people still believe about getting job abroad. Before I dive in, let’s start with a few common myths: ------------------------------------------------------------------------------------------------------------- Myths I Want to Break You can only get a job abroad after studying there. You need to spend 30–40 lakhs on a foreign degree to settle overseas. Cybersecurity professionals don’t get hired abroad from India. Only people with 9–10 years of experience get sponsored jobs. Let me tell you how wrong these assumptions are — and how my journey proves that. ------------------------------------------------------------------------------------------------------------ My Journey — From a Small Town in India to an International Offer Like many others, I dreamt of studying abroad, getting a good job, and building a life there. But reality was different. Financial conditions at home didn’t support that path , so I stayed in India, completed my studies, and started my career at Infosys. It was during my time at Infosys that I had a realization: "A regular job and degree won’t get me where I want to be." So I started self-studying after work — deep-diving into cybersecurity, reading, experimenting, and learning late into the night. I joined ConnectWise, and that’s when I decided to create my personal website .Not just to share knowledge — but to showcase my potential  to companies across the world. I had no money to move abroad or pay for foreign education, but I believed one thing: 💡 “If I can’t go to them, maybe my work can reach them.” ------------------------------------------------------------------------------------------------------------ The Rejections That Almost Broke Me Once I was confident, I started applying — 20 to 30 job applications every single day for continuously 3 years . Seek. Monster. LinkedIn. Company websites. You name it, I was on it. Each morning, I’d wake up to rejection emails . Some companies ghosted me after interviews. Others rejected me after final rounds due to visa issues. Some just hired someone else. At times I wanted to give up. I remember saying: "Why am I doing this? Maybe I’m not good enough." But I kept going. Kept learning. Kept writing articles. Kept pushing. ------------------------------------------------------------------------------------------------------------ How Things Turned Around Then I joined Ankura , where I met fantastic people like Peter Vu . He became a mentor, someone I truly admired. When he left, I started applying abroad again. This time, something changed: my website had gained visibility . People shared my posts on LinkedIn, Twitter, government websites or pdfs . My work was speaking for me. And finally — after 3 failed interview attempts, I received a job offer from abroad. Not just a job — but a company willing to sponsor me . (A guy with 4 year of experience) ------------------------------------------------------------------------------------------------------------ What I Want You To Know This isn’t just my win. This is a message to everyone out there: You don’t need 10 years of experience  to get hired abroad. You don’t need 40 lakhs  for a foreign degree. You can be hired in cybersecurity  directly from India. All you need is resilience, willingness to learn, and consistency . I faced countless rejections , but kept showing up.I kept learning. I kept building. And now, I’m moving. ------------------------------------------------------------------------------------------------------------- Final Words: To Anyone Dreaming Big If your parents can’t afford to send you abroad — it’s okay. If you’re facing rejection after rejection — it’s okay. If people tell you “this isn’t possible” — smile and keep going. Because it is  possible. You don’t need to follow the traditional route. You don’t need to lose yourself in self-doubt. You just need to start , and not stop . And one day, your Yes  will come — just like mine did. ---------------------------------------------------------------Dean-----------------------------------

DNS is often referred to as the phonebook of the internet — and traditionally, it’s been fairly easy to read. But as privacy and censorship concerns grew, so did efforts to encrypt DNS traffic , giving us technologies like DNS-over-TLS (DoT)  and DNS-over-HTTPS (DoH) . While they offer legitimate security benefits, these methods also pose serious challenges for incident responders and forensic analysts . =Traditional DNS vs. DoT and DoH Let’s start with what’s familiar: traditional DNS queries, typically using UDP over port 53 . These queries are sent in plaintext, making them easy to observe in tools like Wireshark. For example, a simple A record lookup for https://www.cyberengage.org/  might be just 32 bytes of DNS payload  — and it’s all visible to anyone monitoring the wire. Now compare that with: DNS-over-TLS (DoT) Protocol : DNS traffic over TLS (like HTTPS, but just for DNS). Port : Default is TCP/853 . Benefit : Encrypts DNS traffic, preventing outsiders from seeing which domains are being queried. Visibility : Possible to block or detect based on port/protocol — unless the attacker starts tunneling DoT through a different port. DNS-over-HTTPS (DoH) Protocol : DNS sent as part of a regular HTTPS request. Port : TCP/443  — indistinguishable from regular web traffic. Challenge : Blends perfectly with normal browsing traffic. Visibility : Basically zero unless you're doing TLS interception , which is controversial and legally risky. A Closer Look at DoH in Action DoH can send DNS data in two ways: POST method : The DNS payload is dropped into the body of the POST request. GET method : The DNS payload is Base64-encoded and appended as a URL parameter. In both methods, the transaction ID is set to zero , as per the DoH RFC. This allows DoH responses to be cached, which isn't possible with randomized IDs. While these may look like regular HTTPS traffic, they’re actually DNS queries in disguise — a huge blind spot  if you’re only monitoring port 53. The Problem with TLS Interception TLS interception (aka SSL decryption) is the most reliable way to see inside DoH traffic, but let’s be real — it’s tricky and controversial . Here's why: Technically : It works. Middleboxes decrypt the traffic, inspect it, then re-encrypt and forward it. Legally : Risky. This is considered intrusive in many regions and can violate privacy laws. Operationally : Complex. You need tight certificate management, and every endpoint must trust the interceptor. Because of this, many orgs simply don’t go down this road — even if they’d like to. Other Detection Options So how do we detect or control encrypted DNS if we’re not intercepting TLS? For DoT: Block or monitor TCP/853 . Use firewall rules  to prevent outbound connections on uncommon ports. Track DNS servers in use and look for rogue ones. For DoH: Traffic profiling : Since DoH is just HTTPS, you can analyze traffic behavior (e.g., regular POSTs to dns.google or cloudflare-dns.com). Control system and app settings : Disable DoH in browsers, OS, and apps where possible. But malware won’t respect your group policies. Enter Punycode and Internationalized Domain Names (IDNs) Now let’s throw another wrench into DNS analysis: Punycode , the format used for IDNs  (Internationalized Domain Names). Here’s the problem: DNS was built in an ASCII-only world . As the internet went global, p eople needed non-English characters in domain names . Enter Punycode — a way to encode Unicode characters using only ASCII. But here’s where it gets dangerous: visual spoofing . Example: Legit domain: wix.com Spoofed domain: wıx.com (note the Turkish “ı” character instead of “i”) To the human eye, they look identical. But behind the scenes, the punycode version might be: xn--wx-ema.com Forensic Tip: Any domain that starts with xn-- is a punycode domain. Use online tools or Python libraries to decode them and inspect their real intent. Not every punycode domain is malicious, but they deserve scrutiny , especially in phishing investigations. Final Thoughts: What You Should Be Doing Now Encrypted DNS and IDNs aren't going anywhere. They’re part of the modern internet — for better and worse. Here’s what defenders can do: Log everything  — especially DNS queries, NetFlow, and HTTPS metadata. Monitor DoH/DoT behavior  and block unauthorized resolvers. Identify punycode domains  and decode them during investigations. Use passive DNS  to track patterns over time, detect beaconing, and flag newly seen domains. Build user and host baselines  to catch anomalies in DNS behavior. Malware authors love DNS because most people don’t watch it closely. But once you start paying attention, DNS can tell you exactly what your adversaries are doing  — you just need the right lens to see it. --------------------------------------------------Dean-----------------------------------------------

In the ever-evolving cat-and-mouse game of cyber defense and offense, one technique has proven especially resilient: Domain Generation Algorithms (DGAs) . While not a brand-new tactic, DGAs are still actively used in modern malware campaigns to maintain command-and-control (C2) connections, avoid takedowns, and scale operations across thousands of infected machines. What is a DGA, and Why Do Malware Authors Use It? Think of a DGA as a recipe that allows malware to generate a list of domain names on the fly — usually hundreds or thousands per day. These domains are potential addresses the malware can use to check in with its command server. Here’s how it works: Malware on an infected host uses a DGA to generate a new list of domain names each day , often based on a seed value like the current date. The attacker just needs to register one of those domains , and the malware will be able to connect to it. If defenders block or take down that domain, it’s no big deal — tomorrow, the malware generates a new list. This technique makes it incredibly difficult to cut off communications  between infected machines and their controllers. Detecting DGA Domains: Easier Said Than Done Unfortunately, spotting a DGA in the wild is tough. These domain names are often random-looking gibberish , which helps — but it’s not a guarantee. There are legit services that use odd domain naming conventions too. Some detection strategies include: Heuristics : Analyzing the randomness of domain names. Newly observed or registered domains : Malware often uses fresh domains that have never been seen in your environment before. External threat intelligence : Feeds can help identify known DGA domains or similar patterns. But don’t expect perfection. DGA detection tends to walk a fine line between catching malware and flooding analysts with false positives . When Good Detection Goes Wrong: Chrome, ISPs, and DNS Weirdness Here’s a curveball. Some tools — like Google Chrome or OpenVPN’s Viscosity client — intentionally generate random-looking DNS queries  as a way to detect DNS interception . For instance: If Chrome doesn’t get an NXDOMAIN when querying a nonsense domain, it suspects your ISP is hijacking DNS responses (think ad pages or redirect portals). These fake queries look a lot like DGA activity . This is a nightmare for defenders relying on heuristic DGA detection — because now even legitimate software is acting like malware , from a DNS perspective. Pro tip: Look for patterns like .viscosity as a TLD or interface names in DNS queries. These can give away what system or client software was responsible for the "weird" behavior. Passive DNS: Your Secret Weapon This is where passive DNS logging  shines. By collecting and analyzing DNS traffic over time, you can: Catch DGA patterns  based on frequency, TTL, and randomness. Spot DNS rebinding attacks , where domains initially point to a public IP and later pivot to an internal one (useful for browser exploitation). Identify systems querying uncommon domains  or rogue DNS servers. Correlate DNS queries with other artifacts  like NetFlow, HTTP logs, or IDS alerts to build a more complete picture. Establish a baseline  of common domains, then investigate anything outside that norm. Bonus benefit : It also helps identify stealthy malware that "sleeps" by pointing C2 domains to 127.0.0.1 or hosting providers like AWS or Azure until the attacker is ready to activate it. Final Thoughts: It’s a Marathon, Not a Sprint DGAs, fast-flux, DNS rebinding — they’re all pieces of a much larger puzzle. They may look complex at first, but with the right data and detection strategy, you can start seeing patterns. It’s true that defenders have to be right 100% of the time , while attackers only need one successful connection. But by collecting DNS logs, correlating with threat intel, and understanding these sneaky techniques, we give ourselves a much better chance of winning that fight. ------------------------------------------------Dean-----------------------------------------------

Cybercriminals are always evolving, and so are their tactics. One particularly sneaky method that’s been gaining ground over the years is fast-flux DNS  — a trick that makes it extremely difficult to block malicious infrastructure or shut down campaigns. If you’ve ever wondered how malware manages to keep its command-and-control (C2) servers hidden in plain sight, fast-flux might just be the answer. What Is Fast-Flux DNS? At its core, fast-flux DNS  is a clever way for attackers to hide the real  location of their C2 servers. Instead of pointing a domain to a fixed IP, the DNS records (specifically the “A” records) rotate rapidly — sometimes every few minutes. Here’s how it works: The DNS record for a malicious domain doesn’t return one fixed IP. Instead, it returns a list of IP addresses , each belonging to a compromised machine  acting as a proxy. These machines forward the traffic to the actual C2 server, which remains hidden. The attackers also configure the TTL (time to live)  of the DNS records to be really low — usually less than 5 minutes — ensuring that the IP list keeps changing constantly. This means defenders can’t just block a static list of IPs or domains — because they’re outdated almost instantly. Why It's So Hard to Block Let’s say you identify a C2 domain being used in an attack. Blocking its IP address seems like a logical next step, right? Not so fast. Because the IPs tied to that domain change so rapidly — and are spread across hundreds or thousands of compromised devices — any blacklist is outdated by the time it’s implemented. This dynamic structure makes fast-flux highly resilient  and frustratingly evasive . Enter Double-Flux: Fast-Flux, But Worse If fast-flux is bad, double-flux  is worse. In a double-flux setup: The A records  (the IPs for the C2 domain) rotate, as before. But now, even the NS records  (which tell you which name servers to ask) are part of the rotation — and they too are compromised systems. So now, not only are the C2 proxies changing, but the DNS infrastructure itself is also constantly shifting. This adds another layer of obfuscation that protects the true source of control even further. So… Can We Defend Against This? Yes — but it’s a little more involved. Sinkhole known malicious domains: DNS admins can seize control of known bad domains by overriding the DNS resolution locally, stopping any resolution at the enterprise level. Use your DNS logs wisely: Logging DNS queries gives investigators powerful insights — who queried what, and when. It can help identify infected machines fast. Threat hunting with patterns: While fast-flux is tricky to prevent outright, it leaves patterns  in DNS traffic that can be used for detection and investigation. Detecting Fast-Flux: What to Look For Fast-flux DNS behavior has a few tell-tale signs . They aren’t foolproof — some legitimate services use similar methods for load balancing or geo-routing — but they can guide your threat hunting efforts. 1. Very low TTL values Fast-flux domains tend to have TTLs set to less than 5 minutes — the lower, the better (for them). That’s because they want the records to expire quickly, forcing frequent updates. Wireshark Display Filter: dns.resp.ttl < 300 2. Lots of IP addresses in responses Malicious domains in fast-flux networks often return many IPs in a single DNS response  — usually a dozen or more. This reflects the many compromised systems being used as proxies. Wireshark Display Filter: dns.count.answers > 12 (⚠️ Caution: This also happens in CDNs and load-balanced environments, so it’s not always malicious.) 3. Look for anomalies in your baseline The best method? Compare new DNS traffic to what’s normal in your environment. If a domain suddenly starts behaving in wildly abnormal ways — like resolving to 15 different IPs every few minutes — that’s a red flag. Final Thoughts Fast-flux DNS is a brilliant — and diabolical — tactic that makes life difficult for defenders. It’s built for resilience , evasion , and survivability , and when combined with double-flux and DGAs, it’s a nightmare cocktail. But with the right DNS logging setup, a solid baseline of what’s “normal,” and clever detection techniques, you can still track down infections and limit their impact. ---------------------------------------------Dean-------------------------------------------------

When we think about forensic investigations and threat hunting, DNS isn’t usually the first thing that pops into our minds. But if you dig a little deeper, you'll realize that DNS is often one of the most powerful sources of evidence  in any investigation. In fact, DNS logs are like a pulse check on your entire network. They silently record who's talking to who, when, and how — across nearly every protocol in use. Why DNS Matters So Much Attackers don’t walk through the front door shouting. They sneak around the back — and often, that backdoor is DNS. It’s used in everything from phishing and command-and-control (C2) infrastructure to data exfiltration. But here’s the thing: most networks don’t treat DNS seriously enough . They treat it as just another service, not a security tool. Imagine this: An attacker sets up a C2 domain and points it to 127.0.0.1 (localhost) most of the time to avoid suspicion. Then, when it’s time to activate implants, they change the DNS record to the actual IP. If you’re only logging queries and not responses, you miss that switch entirely. Good DNS Setup = Better Security If you're serious about DNS from a security perspective, there are a few best practices: ✅ Use internal DNS servers : Set up a small number of DNS servers inside  your network perimeter. 🔒 Lock down external DNS access : Clients should only  be allowed to query internal DNS servers — not open resolvers on the internet. 🌐 Use DHCP for DNS assignment : Keep it simple and consistent. 🚫 Block direct DNS access from clients to the internet : Use your firewall to enforce this. This configuration not only improves performance and reliability but also gives you a centralized choke point  for visibility. The Problem with Traditional DNS Logging Most DNS servers allow query logging , which is a good start — but here’s the catch: They don’t log the responses. That’s a big blind spot. It’s like watching only one side of a conversation. For investigators, this means missing out on crucial clues — like what IP a domain resolved to at a specific moment. And forget about using that data to spot malicious infrastructure that constantly changes — you'll be flying blind. Enter PassiveDNS Monitoring If you really want visibility, go passive . Passive DNS monitoring tools listen to DNS traffic and log both queries and  responses . One fantastic open-source option is Edward Fjellskål’s tool called PassiveDNS . It’s lightweight, fast, and versatile. You can: Run it live to monitor traffic as it happens (great for SIEM integration), Or process DNS traffic from pcap files during postmortem analysis. It can write logs directly or send them via syslog — which means it plays nicely with most log aggregators and SIEM platforms. 🧪 Practical Example: PassiveDNS in Action Let’s say you have a massive pcap file and you want to quickly zero in on DNS activity. PassiveDNS can do the job in no time: ( https://github.com/gamelinux/passivedns ) Installing PassiveDNS on Ubuntu, especially when running under Windows Subsystem for Linux (WSL), can be a bit challengin g. You might encounter several errors along the way due to the differences between a native Linux environment and WSL. However, you don’t have to worry you can reach out to me directly though email or using chat section, I will help immediately . Below is the official installation process for PassiveDNS on Ubuntu, as per the project documentation: $ sudo apt-get install git-core binutils-dev libldns1 libldns-dev libpcap-dev # libdate-simple-perl is also needed for pdns2db.pl $ git clone git:// github.com/gamelinux/passivedns.git $ cd passivedns/ $ autoreconf --install $ ./configure $ make O nce installation is done you have a pcap file and  you want to quickly zero in on DNS activity. sudo passivedns -r dns.pcapng -l ./passivedns.txt -L ./passivedns_nxdomain.txt This gives you two clean log files: One with all successful DNS resolutions One for those NXDOMAIN (nonexistent domain) queries — often a sign of malware trying to resolve C2 domains that don’t exist (yet) Output : And if you're live monitoring from a network tap: passivedns -i eth0 -D -y -Y This runs the tool as a background process, sending real-time logs (including failed lookups) straight to your syslog server. Final Thoughts If you’re skipping DNS logs in your investigations, you’re likely missing a massive part of the story. DNS isn’t just a boring infrastructure protocol — it’s a map of where your network traffic is going , and often a warning sign of where threats are coming from. So, whether you're hunting threats or digging through a breach, don’t underestimate DNS. It’s not just technical plumbing — it’s a forensic goldmine. --------------------------------------------Dean------------------------------------------------------

Let’s be real— dealing with hundreds (sometimes thousands) of user-reported phishing emails every day can be a nightmare for security teams . You’ve got analysts drowning in emails, managers worrying about response time, and users clicking “report” like it’s a game . That’s where ASA (Autonomous Security Analyst)  from Sublime Security swoops in like a superhero 🦸‍♂️—only smarter, faster, and it doesn’t need coffee breaks. So, What Exactly is ASA? Think of ASA as your virtual security analyst . It’s an AI-powered automation tool that investigates those user-reported emails that land in your abuse mailbox . It looks at everything, makes decisions, and gives you a neat little report so your real human analysts don’t burn out staring at spam all day. When someone reports a suspicious email, ASA jumps into action automatically —no need to press a button. It does the full analysis and tells you exactly what it thinks: is the message malicious, spam, graymail, totally fine (benign), or something it’s not sure about (unknown)? 🔍 What Does ASA Actually Do ? Here’s what makes ASA such a gem: Checks files and links for malware  🧨 Looks at logos and visual content  for phishing tricks 🕵️ Investigates the sender  to see if they’ve caused trouble before 📬 Points out misclassifications  or weird behaviors in the email 🤔 It does everything a human analyst would do—just way faster. 🛠️ How Do You Use ASA? If you're using Sublime Security in an Enterprise setup  and already have your abuse mailbox configured , it’s super easy. All you need to do is turn on the Automation  called “Send user reports to ASA” . That’s it. ASA is now your new team member. 🌍 Where Does ASA Live? Right now, ASA runs either in: Sublime’s cloud environment (SaaS) Or your own AWS cloud (self-hosted) Currently supported AWS regions include: 🇺🇸 Virginia | Oregon | Ohio🇪🇺 Dublin🇬🇧 London 🧑‍💼 ASA Has Two Personalities (a.k.a. Modes) 1. Passive Mode  – “The Analyst Buddy” ASA analyzes emails and gives you all the info, but it doesn’t take any action. You (or your team) still make the final call. Great if you want control, but still want a huge head start on the analysis. 2. Active Mode  – “The Autonomous Agent” ASA goes full robot mode 🤖—it analyzes, makes decisions, and takes actions  like: Quarantining bad stuff Moving spam to the junk folder Dismissing false positives Escalating uncertain stuff to a human analyst This is perfect when you need 24/7 automated help—especially when your team’s off the clock. 🗂️ ASA Verdicts: What Does It Call the Messages? ASA can label emails as: Malicious  – Dangerous! Spam  – Junk it. Graymail  – Meh, promotional or boring stuff. Benign  – Totally safe. Unknown  – Needs a human eye. For each verdict, you can set what ASA should do: quarantine, trash, move to spam, or just add a warning banner. 📋 ASA Reports: What Do You Get? ASA doesn’t just say “Spam” and walk away. It gives you a full breakdown , including: A one-liner summary  with verdict, user reports, and message actions An Executive Summary  with the juicy details A full attack chain  (if malicious) Deep-dive into the sender, content, attachments, links, and why ASA decided what it did Honestly, it’s like a mini threat intel report for every message. ------------------------------------------------------------------------------------- Before ending this article and after this one last left which is very interesting article!.. Let me show you last tab called admin Alright, so we’ve explored Sublime’s amazing features—from automations and verdicts to ASA doing the heavy lifting . But before we wrap this up, let’s quickly peek behind the curtain into the Admin tab —the place where the real control lives. It might not be the flashiest part of Sublime, but it’s where the magic of setup, permissions, and policies happens. Let’s break it down, no jargon—just straight talk. 😎 👥 Roles & Permissions Sublime comes with predefined roles  to help you manage who can do what: Admin  – Has full control. (79/79 permissions) Analyst  – Has what they need for investigations. (28 permissions) Engineer  – Somewhere in between. (47 permissions) 🧑‍🔧 Want more flexibility? If you're an Admin, you can create your own roles  and fine-tune permissions for users based on your team’s needs. 🗃️ Message Retention Settings You don’t want to keep every  email forever—but you do want to keep the important  ones long enough for investigations. Here’s what you can manage: Raw EML (Unflagged) : Pick how long to keep emails that weren’t flagged or reported. After this period, the message metadata stays, but body, links, screenshots, etc. are gone. Raw EML (Flagged/User-Reported) : These stick around longer. Same deal—pick the retention time. MDM Retention : MDMs (Message Data Models) are kept for up to 30 days or whatever your unflagged EML retention is (whichever is shorter). Think of this as your time machine settings—how far back in time can you go to re-analyze or investigate emails? 🔐 Authentication & Security Hook Sublime into your SSO  provider of choice: Okta ✅ Azure AD ✅ OneLogin ✅ Or any OpenID Connect or SAML  provider Also: You can control how people view message contents  (opt-in for extra control) And even set an IP Allow List  so that only approved IPs can access the Sublime dashboard or API. Very enterprise. Very secure. Abuse Mailbox – The Front Door for Phishing Reports If your users forward suspicious emails, this is where Sublime catches them . Set up your abuse mailbox (up to 5 addresses), and Sublime will: Grab the original message  that was reported (using smart headers, attachments, or references) Group messages  from the same attack together Skip duplicates  so your team isn’t doing the same thing twice It’s like a smart inbox that’s built for security teams. And yes—you can use a user mailbox , a distribution list , or a Google Group . Just make sure at least one subscriber gets all the mail. 📝 Audit Logs – Because Receipts Matter Need to know who did what and when? Sublime’s Audit Log  keeps track of: Message actions Rule changes Logins Pretty much everything Perfect for compliance or when someone swears “they didn’t touch it.” ✉️ Adding Message Sources You can connect Sublime to: Microsoft 365 Google Workspace IMAP accounts Each source gives Sublime access to ingest messages from your environment. 👉 Here’s how to add message sources 📫 Mailboxes Tab This one’s simple: it lists all mailboxes  connected to your Sublime environment—so you always know what you’re monitoring. ------------------------------------------------------------------------------------- 🎯 Final Thoughts ASA is like that one intern who learns fast, works 24/7, and doesn’t need supervision. Whether you want full control or full automation, ASA can slot into your team and start saving time and catching threats instantly . It’s where you lay the foundation—so the cool stuff (like ASA) can do its thing without chaos. And there you go. That’s Sublime Security’s Admin tab , decoded in plain English. -----------------------------------Dean------------------------------------------- Upcoming Article: (Last Article): The Final Piece: Hunting, Searching, and Analyzing Like a Pro in Sublime EDR for Email https://www.cyberengage.org/post/the-final-piece-hunting-searching-and-analyzing-like-a-pro-in-sublime-edr-for-email -------------------------------------------------------------------------------------

Alright folks, I’ve saved the best for last . If you’ve ever worked with a traditional EDR (Endpoint Detection & Response) tool, you know what it gives you—file analysis, threat hunting, quick search, incident review, all that juicy stuff, right? Now, imagine doing all of that—but for email . Yes, you heard me right. Welcome to the world of Sublime EDR for Email.  📬⚡ This isn’t your boring "filter spam and move on" solution. This is real EDR-level capability  in your email environment. Let's break it down, in the chill, easy way we always do. If this catches on, I might even write another post just about custom detection rules 👀. 🔍 First Stop: Search Let’s start simple. Sublime gives you powerful search capabilities . You want to know: How many people got an email  from a shady sender? Did this subject line go to more than one user? How many people received this one specific message? Just type it in and boom—you’ve got results. Example1: Example2: No complex query language needed. Use sender email, subject line, message ID—whatever you have. It’s straightforward , and honestly kinda fun once you get the hang of it. 🧨 The Coolest Part: Hunting Now THIS is my favorite part. This is where you put on your digital detective hat 🕵️. So, what’s hunting in Sublime? It's where you search across your entire email environment  for stuff like: Suspicious attachments Authentication failures (like DMARC/ SPF/ DKIM mismatches) Weird domains Signs of phishing or malware delivery Anything that looks off! This feature is driven by something called MQL (Message Query Language) —don’t worry, it sounds more complicated than it is. If you’ve ever used something like YARA, Sigma, or even basic Python filters, you’ll feel right at home. And the best part? 💻 Meet the MQL Editor – Built for You The MQL Editor  is like working in VS Code, but specifically for email detection rules. It’s smart, fast, and gives you all the help you need while you write: Autocomplete Live error checking Function & field tips Debugging and test support You can upload a real .eml file and test your rule instantly . If it works, you’ll see a ✅. If not, it’ll give you a ❗ and highlight what didn’t match. 🔍 There’s even a feature that shows the intermediate results of each function —so you’re not just guessing what went wrong. Got logic errors like mixing up AND vs OR, or forgetting a bracket? It’ll warn you gently but won’t block you. Super useful. If you’re ever stuck, just hit Ctrl + Space to see all possible fields and functions. Sublime’s got your back. Example1 : You can make query more intense i am keeping it simple Example2 : Example3: 📁 Email Analyzer – The Cherry on Top And now, the final boss  of this EDR setup: the EML Analyzer . Upload any .eml file (yes, the actual raw email file), and Sublime will: Analyze it using its ML engine 🤖 Break it down line by line Show you headers, links, attachments, logos, domains—you name it It’s like having your own little sandbox to inspect suspicious messages without needing a full SIEM or EDR setup . Perfect for analysts, incident responders, or even curious defenders who want to dig into how phishing emails really work. ------------------------------------------------------------------------------------------------------------- 🏁 Wrapping Up: That’s a (Sublime) Wrap! That’s it! 🎉 This was the final piece of the Sublime EDR series, and honestly—I had a blast sharing this with you all. Sublime isn’t just another “email security tool.” It’s a full-blown email EDR , and it gives you the power to: ✅ Investigate ✅ Hunt ✅ Remediate ✅ Automate ✅ Analyze...and do it faster than ever . 🙌 Final Words If you enjoyed this journey and want to go deeper (like how to write powerful MQL detection rules, or threat hunting workflows), hit me up! 💬 Also, if you're curious about how to get started with Sublime, or even want to join one of the best security companies out there —reach out to me. I’ll point you in the right direction and tell you why they’re truly next-level . Thanks again for sticking with me through this series—I’ll catch you in the next article, where we’ll dive into even more cool cybersecurity tools and concepts! Until then, stay safe, stay curious. 👋

While Detection Rules and Automations are at the heart of Sublime Security's threat detection and response, the platform is packed with additional tools and capabilities  that make it even more powerful, customizable, and community-driven. Here are a few advanced features every security team should explore. 🧠 Git-Backed Rule Feeds Stay Updated, Stay Ahead Sublime supports Git-backed rule feeds that allow you to receive continuous updates from the Sublime team and the broader security community. Sublime Rules Feed  is included by default and maintained by the Sublime team. You can add custom feeds  from GitHub, GitLab, or Bitbucket—perfect for managing and sharing detection rules across teams or community groups. To manage feeds, just head to the Feeds  section in your dashboard and click New Feed . 🔗 Pro Tip:  Community collaboration makes rule evolution much faster. Embrace it. 🗂 Lists Dynamic Sets for Smarter Matching Sublime supports the use of named lists —these are reusable sets of data (like domains, email addresses, or file hashes) you can reference within your detection logic using MQL. All list names start with $ (e.g., $org_vips, $blocked_domains) You can create your own lists or use the built-in ones provided by Sublime. Lists simplify rule maintenance and improve readability. 📖 Learn more about Lists → 🚫 Exclusions Cut Out the Noise Exclusions are used to suppress alerts on known benign messages (like phishing simulations or internal test emails). They're evaluated before  rules or automations trigger. There are three types of exclusions : Global Exclusion  – Message is skipped from all  rules and automations Detection Rule Exclusion  – Message bypasses detection rules, but still hits automations Rule-Specific Exclusion  – Blocks a specific rule from matching a sender, domain, or recipient Sublime ships with built-in global exclusions for vendors like Cofense, KnowBe4, and Hoxhunt —inactive by default, but available if needed. ✅ Use exclusions strategically to reduce alert fatigue and fine-tune precision. ⚙️ Actions: How You Enforce Responses Actions are what you want to do  when something is detected. You can apply actions manually or automatically through Rules and Automations. Here are two key ones: 🛑 Quarantine (Enterprise) Makes the email inaccessible to end users In Microsoft 365 , the message goes to “Recoverable Items Purges” In Google Workspace , it's deleted from the user's inbox but retrievable by Sublime admins 📌 To add quarantine: Open a Rule or Automation Click "Edit" Under Actions, choose Quarantine Save 📬 Move to Spam (Core + Enterprise) Moves suspicious messages to the Spam/Junk folder Good for messages that are unwanted but not outright malicious Often paired with Warning Banners  for extra visibility 📌 To use Move to Spam: Open your Rule or Automation Click "Edit" Select Move to Spam  under Actions Save ✨ Final Thoughts These extra features may seem small, but they can supercharge your email security operations  when used properly: Feed integrations keep your detections fresh Lists and Exclusions fine-tune your logic Actions like Quarantine and Move to Spam help automate response And Git-based feeds make Sublime feel like a true DevSecOps-native platform Let the platform do the heavy lifting— you focus on what matters most. ---------------------------------------------------Dean-------------------------------------------------- Upcoming Article: Meet ASA: Your New AI-Powered Security Teammate from Sublime Security https://www.cyberengage.org/post/meet-asa-your-new-ai-powered-security-teammate-from-sublime-security ----------------------------------------------------------------------------------------------------------

In our previous articles , we talked about how Sublime Security’s Detection Rules  can be configured to automatically perform actions like auto-quarantining or triggering a review . But what if you want more control—or prefer separating detection from remediation workflows? That’s where Automations  come into play. 🚀 What Are Automations? Automations  are logic-based workflows in Sublime Security that focus on triaging  and responding  to email threats, especially those flagged by detection rules or reported by users. Think of Automations as your response engine —while Detection Rules identify the problem, Automations decide what to do with it. You can configure Automations to: 🛡 Auto-quarantine emails with a “Malicious” verdict 📛 Trash phishing messages or apply visual warning banners 📣 Alert when VIPs receive suspicious emails 👥 Take action when a certain number of users report the same message 🧵 Quarantine an entire campaign based on multiple detection triggers 🧠 How Do Automations Work? Automations are built on MQL (Message Query Language) —the same language used by Detection Rules. They trigger based on: A message being reported by a user A Detection Rule flagging a message Or both Once triggered, Automations can take two types of actions : ✅ Active Response : Auto-quarantine, trash, or apply a banner 👀 Passive Mode : Only generate alerts (e.g., webhooks, dashboard signals) without taking action This makes it super flexible—test in passive mode, then flip the switch when you're ready to go live. ⚙️ Active vs Passive Mode Sublime gives you fine-grained control with Active and Passive Modes : Mode Description Active Takes immediate action (e.g., quarantine, trash) Passive Only generates alerts—ideal for testing and tuning You can even toggle between them easily as you fine-tune your playbooks. 📦 Core Feed of Automations Just like Detection Rules, Sublime Security ships with a Core Feed  of recommended Automations: They’re inactive by default You can activate them in Active or Passive Mode They're designed to respond to common threat patterns , saving you time and effort These prebuilt workflows give you a solid foundation to build upon or customize for your unique threat landscape. 🔌 Bonus: API Integrations for Power Users Sublime Security also offers a powerful REST API , which lets you: 🧼 Trash or quarantine messages directly from your SOAR 🔍 Update blocklists with IOCs from your threat intel feeds 📎 Enrich JIRA, ServiceNow, or Slack alerts with email metadata The API uses standard HTTP verbs, JSON payloads, and predictable URLs. You’ll find your exact Base URL  under Automate > API  in the Sublime dashboard. 🎯 Final Thoughts Automations in Sublime Security are powerful , flexible , and designed to reduce analyst fatigue . Whether you want fully hands-off auto-remediation or prefer a passive alerting model, Automations help you tailor the perfect response strategy. Let Sublime handle the triage. You stay in control. -------------------------------------------Dean------------------------------------------------------------- Upcoming article: Beyond Detection: Hidden Power Features of Sublime Security https://www.cyberengage.org/post/beyond-detection-hidden-power-features-of-sublime-security ------------------------------------------------------------------------------------------------------------

Okay, so in this tab, we’re going to explore one of my favorite features of Sublime Security — Detection Rules , also known as your email detection posture . This is where things get really cool, especially if you love having visibility AND control over what happens in your email ecosystem. So, here's the deal — Sublime Security puts everything online on GitHub . https://github.com/sublime-security/sublime-rules Yep, it’s all open-source. You can: Write your own rules, Use existing community rules, Customize anything you like. No walled gardens, no black boxes. Just raw detection power at your fingertips. 🧠 How the Rules Are Organized The Detection Rules tab is the place where all the action starts. And trust me — they’ve done a neat job organizing everything. The rules are split into two main categories : 1. Attack Types Think of these like the “what is the attacker trying to do?”  side of things . Each type reflects the attacker’s primary goal — whether it's phishing for creds, spreading malware, or just trying to socially engineer someone into transferring funds. Here are some examples: BEC/Fraud  – Business Email Compromise. These are those sneaky emails where someone pretends to be your CEO, a vendor, or someone else important, trying to get you to send money or share sensitive info. No malware, no malicious links — just pure social engineering. Callback Phishing  – This one’s clever. The attacker tricks you into calling  a phone number. From there, it’s game over. They might lead you to malware, steal data, or worse. Credential Phishing  – This one’s classic. Think fake Microsoft login pages, Google Docs prompts, etc. — all designed to steal your usernames and passwords. Extortion  – Like the old "we’ve got your data, now pay us" scenario. Malware/Ransomware  – Where attachments or links lead to malware payloads. Reconnaissance  – This is like the attacker dipping their toe in to see if your email system bites back. They’re testing spam filters, checking which emails land in inboxes, and mapping targets before launching the real deal. Spam  – Not all spam is evil, but it’s annoying and sometimes a smokescreen for worse things. 2. Tactics and Techniques This section dives into how  the attackers are doing what they’re doing . You get insight into the tools and tricks used to evade detection. Some cool examples: Encryption  – Emails that are encrypted just enough to sneak past scanners. Evasion  – Tactics like obfuscation, spoofing headers, hiding links in weird places. Free Email Providers  – Attackers love using Gmail and Outlook to look “normal.” Free File Hosts  – Dropbox and Google Drive links aren’t always innocent. HTML Smuggling  – A technique where malware is hidden inside HTML files. ... and the list goes on. 🛠 Why I Absolutely LOVE This Now, you might ask — “Dean, why are you geeking out over this?” Let me tell you why: Sublime lets you apply actions per category or even per rule . That’s right. You’re not locked into a single response for every kind of threat. ( There is better method as well, we will discuss in next article :- automation, but yeah this ability also given by sublime, you have to make choice what you are going to choose) For example: You’ve got 74 BEC/Fraud rules . (Kept increasing or you can add your as well) And 35 Spam rules . Let’s say: For all BEC/Fraud  emails → you want them to be auto-quarantined  or Auto-review ( malicious .) Before Applying any action: Let apply action: After Applying action: But for Spam  → maybe you just want to move it to the spam folder  and add a warning banner . --------------------------------------------------------------------------------------------------------- One thing keep in mind which is Lets suppose the one rule which was under BEC fraud might come under SPAM as well, So don't get confused or worried: Now you will ask question Dean, than how the action will work remember the Hierarchy i told you! If multiple rules try to classify the same message, the platform uses this order of priority: Simulation > Benign > Malicious > Spam > Graymail if one rule tags it as Simulation and another as Malicious, Simulation  wins. ------------------------------------------------------------------------------------------------------- You can set different actions per type. That flexibility? HUGE. And yes — you can mix and match: Set a warning banner   plus  move to spam. Or trigger user reporting . Or simply alert only , if you want to monitor before acting. This level of control is something most EDRs or email gateways charge a premium for — Sublime gives it right out of the box. 📈 What’s Rule Effectiveness? So there's this nifty section called Rule Effectiveness . Basically, it gives you insight into how well your detection rules are working. Key points: It only shows data from live-processed  emails. So your test emails or old logs won’t count. You can see: Who created or last updated the rule, How many emails were flagged, What actions assigned to rule, How many reviewed. It’s perfect for fine-tuning your rules, especially if you want to weed out false positives or catch things your current posture misses. ⚠️ One Thing to Remember By default, all rules are alert-only when you enable them . So no actions will be taken until you  define them. That’s kind of a good thing because it gives you time to understand how your rules behave. you can assign actions . : Quarantine, Add warning banners, Enable user reports, Auto-delete (if you dare), Or just monitor. Totally your call. 🧪 What About ASR Rules? We’ve talked about ASR (Advanced Security Rules) in a previous article , but I might just copy-paste that again or share a link, Lol😄. Basically it also contain rules Attack Surface Reduction in Sublime Security is a specialized category of MQL Detection Rules  that target abnormal or risky patterns in emails. Think of it as your "proactive threat filter" for Microsoft 365 and Google Workspace environments. --------------------------------------------------------------------------------------------------------- Detection Methods Rules Before we wrap up, let’s touch on the Detection  section of the analysis view, specifically the Detection Methods Rules . This section highlights the technical methods and Sublime’s custom rule-based techniques  that identified and flagged the threat. T hese rules often represent the logic or patterns the system detected in an email—such as suspicious sender behavior, impersonation attempts, or malicious links. 💡 Tip:  These are editable rules—if you see something that needs adjusting or tuning to better fit your environment, you can modify them. It’s an excellent way to fine-tune detection for your organization. Historical Ingestion Another important capability of Sublime Security is Historical Ingestion . What is Historical Ingestion? Historical Ingestion is a powerful feature that allows you to ingest and analyze past email messages  to build contextual baselines  for better real-time detection and tuning. When you first deploy Sublime or activate new mailboxes , it prompts you to run historical ingestion so that it can learn from your environment. Why it matters: Establishes behavioral baselines  for what’s normal across your org. Helps reduce false positives  by learning from how you label previous threats. Gives you insight into how Sublime would have flagged past messages , so you can tune and adjust before going live. Key Steps: Review and label results  from historical analysis. Labeling helps train Sublime’s models and improve future detections. You can also exclude safe messages  during this review to fine-tune detection and prevent noisy alerts. Once you complete labeling, activate your rules  for real-time detection. Running historical ingestion doesn’t impact mail flow —it’s a passive process designed to improve accuracy. 🔧 For best results, make sure all mailboxes are activated and configure message retention to allow analysis as far back as you’re comfortable. --------------------------------------------------------------------------------------------------------- I will suggest, wait for my next article before enabling Action on Detection Rules you might find that way better right!!!!!! ------------------------------------------------------------------------------------------------------------- 🎯 Final Thoughts Sublime Security is truly building something special — like an EDR, but for your email . The detection rules tab is where it all comes together: visibility, customization, and control — all in one dashboard. Try it out — play with the rules. Trust me, you’ll enjoy the control it gives you over your email security like never before. --------------------------------------------Dean---------------------------------------------------- Upcoming Article: Automations in Sublime Security: A Smarter Way to Respond to Email Threats https://www.cyberengage.org/post/automations-in-sublime-security-a-smarter-way-to-respond-to-email-threats ---------------------------------------------------------------------------------------------------