Common snippets
Useful snippets of MQL to make building detection rules easier.
Unsolicited (has my organization ever sent an email to this sender?)
If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
First-time sender
If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
)
Free subdomain link
any(body.links,
.href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
and .href_url.domain.root_domain in $free_subdomain_hosts
)
Free file / content hosting link
any(body.links,
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
URL shortener
any(body.links, .href_url.domain.root_domain in $url_shorteners)
Low reputation link (not in tranco 1m), or a free subdomain/file host
any(body.links,
.href_url.domain.root_domain not in $tranco_1m
or (
// free subdomain URL
.href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
and .href_url.domain.root_domain in $free_subdomain_hosts
)
)
Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)
// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc],
any(., .email.email in $support_email_aliases)
)
Exclude specific mailboxes
not mailbox.email.email in ("[email protected]")
Only run on specific mailboxes in a custom list
mailbox.email.email in $highly_targeted_user_email_addresses
Updated 3 months ago