Risky Bulletin – Sponsored: Sublime Can Save a S**t Tonne of Time
A conversation between host Casey (Risky Biz) and Josh Kamju (Founder & CEO, Sublime Security)
Date: November 2, 2025
Overview
This episode delves into the rapidly evolving landscape of email-based cyber threats, focusing on the resurgence and explosive growth of ICS (calendar invite) phishing attacks. Josh Kamju shares insider telemetry from Sublime Security’s platform, discusses the technical hurdles defenders face, and reveals how Sublime is leveraging AI-driven agents to automate both detection and remediation. The conversation also covers broader trends in attacker innovation and major company news, including Sublime’s recent $150M Series C funding.
Key Discussion Points & Insights
1. The ICS Phishing (Calendar Invite) Boom
[00:23-03:25]
- Recent Surge in ICS Phishing:
Josh Kamju reports "a huge uptick in abuse of ICS phishing up to 100x now in terms of volume." - Not a New Technique:
While calendar-based phishing isn't new, commoditization (integration into phishing kits) has spiked attack volume and variety. - Attack Intents:
- Credential theft
- Callback phishing (most prevalent currently)
- Traditional scams (“click here to win a thing”) now using calendar invites as delivery
- Technique Effectiveness:
Calendar invites often bypass conventional email security by landing directly on calendars, requiring separate remediation.
“We’re seeing all the traditional kinds of types of phishing, but now using calendar invites as a delivery mechanism. And it’s pretty clever, to be honest, just in terms of how it works.” – Josh Kamju [02:50]
2. How ICS Phishing Evades Defenses
[03:25-06:20]
- Attack Mechanics:
- The malicious invite may go directly to a user's calendar, not just email, thus bypassing inline security/email gateways.
- Calendar permissions are out of band from email security, making coordinated defense difficult.
- Remediation Challenges:
- Detecting the attack at the email layer does not remove the calendar invite, which often persists.
- Effective remediation requires a separate set of permissions and tools.
“The calendar is like a totally separate permission. It’s out of band. It has nothing to do with the email itself…this is why it’s been such a big, I think, attractive technique for attackers.” – Josh Kamju [04:33]
3. Automating the Fix – Sublime’s Response
[05:53-07:17]
- New Feature:
Sublime rolled out (now in beta) automated calendar invite remediation, not just inbox clean-up. - Community Tooling:
Sublime is developing and plans to open source a script/tool for defenders not using their platform to tie an original malicious email to its associated calendar entry for remediation.
“In the absence of a solution like you guys…you’ve gotta go full IR and it’s very painful…We’re gonna open source a tool…where you can give it the message it originated from, and then the tool will go and find the associated calendar invite and then remediate.” – Josh Kamju [06:32]
4. The Pattern of Attack Technique Evolution
[07:17-09:11]
- Evasions Are Constant:
Attackers frequently recycle and repurpose old methods as new opportunities for bypass emerge.- Notable analogies: QR code phishing, SVG attachment smuggling.
- Use of new content-obfuscation and analysis-evasion tactics.
- Weekly (or more frequent) innovation in the threat landscape is observed.
5. Attacker Incentives and the Role of AI
[09:11-11:25]
- Innovation Driven by E-Crime ROI:
- “Email has historically been…up there in terms of initial access vectors.”
- The objective for most attackers is to maximize ROI, especially for financially motivated e-crime.
- Generative AI on the Adversary Side:
- Attackers are increasingly adopting LLMs (large language models) and automation to “reduce investment cost” and accelerate phishing campaign development.
- Attack cycle is becoming faster and more scalable via AI-driven kits and automation.
“Now you’ve got adversaries starting to adopt LLMs and generative AI…to make their attacks more scalable…So I think that’s a big part of why we’re seeing continued and even faster innovation from the adversary side.” – Josh Kamju [10:33]
6. Meeting Adversaries with AI-Driven Defense
[11:25-13:00]
- Defender AI Strategy:
- “The only way that we will be able to keep up with adversary innovation” is to use AI agents on the defense side as well.
- Sublime’s approach is intentional, building agent-based automation (not “just slapping AI on”).
- Recent release of first two AI-driven agents; more in development.
7. Company Update: $150 Million Series C and the Road Ahead
[13:00-16:48]
- Product Growth & Customer Collaboration:
- Sublime is scaling rapidly, working closely with customers to refine features.
- Two Core Product Buckets:
- Reduce Email-Originated Risk
- Save Security Teams Time/Boost Efficiency
- AI Agents in Production:
- ADE (Autonomous Detection Engineer):
Detects, triages, responds, and adapts to new attacker methods. - ASA (Autonomous Security Analyst):
Functions as a Tier 1/Tier 2 analyst—“more effective than human analysts,” per feedback.
- ADE (Autonomous Detection Engineer):
- Tech Differentiator:
Unique, transparent, explainable architecture (“a computer language that an agent can speak”) enables rapid, effective AI agent development.
“This is like very much the beginning for us in terms of how we can apply AI to solve problems…We’re building a team of agents that’s going to further our ability to improve efficacy over time and mitigate risk more and more.” – Josh Kamju [15:19]
8. Closing & Looking Forward
[16:48-17:06]
- Casey congratulates Josh and the Sublime team on both their product innovation and major funding milestone, expressing excitement for the company’s evolution.
“Congratulations again on the financing and all the progress. It’s going to be super exciting to see what comes out of Sublime next.” – Casey [16:54]
Notable Quotes & Moments
-
ICS Phishing Explosion:
“It’s not like anything dramatically new. But what we’re seeing is a huge uptick in abuse of ICS phishing up to 100x now in terms of volume.” – Josh Kamju [00:46] -
AI Arms Race:
“Adversaries starting to adopt LLMs and generative AI…to make their attacks more scalable…So I think that’s a big part of why we’re seeing continued and even faster innovation from the adversary side.” – Josh Kamju [10:33] -
Automated Remediation Tooling:
“Even if you’re not using Sublime…you can give it the message that it originated from, and then the tool will go and find the associated calendar invite and then remediate.” – Josh Kamju [06:37] -
AI-Driven Agents at Sublime:
“We released our first couple agents this past year … Our ADE can detect, triage and respond and adapt to attacker evolution … ASA acts as a tier one, tier two analyst in the SOC.” – Josh Kamju [13:59]
Important Timestamps
- [00:42] ICS phishing trend discovered and volume spike
- [03:39] Technical breakdown: how ICS phishing bypasses security
- [06:32] Announcement of remediation script/tool for all defenders
- [07:53] Broader observations on attacker evolution and evasion
- [09:28] Conversation on attacker incentives, e-crime ROI
- [11:39] Why AI is essential for defenders
- [13:00] Series C funding announcement and future vision
- [14:35] Explanation of AI agent use cases at Sublime
Summary
The episode offers a timely, expert view into evolving phishing techniques—especially the weaponization of calendar invites—and the challenge these bring to traditional security tools. Josh Kamju details both the attacker’s technical playbook and the practical challenges facing defenders. Sublime responds by automating and democratizing both detection and remediation, leveraging explainable AI agents designed to adapt at attacker speed. With new funding in hand and a roadmap oriented around true AI-driven security operations, Sublime is positioning itself at the leading edge of email threat defense.
For security teams, this episode is a primer on why phishing remains such a tough, quickly-changing adversary—and a look at the next-generation tools and strategies aiming to close the gap.