Log In

Common snippets

Useful snippets of MQL to make building detection rules easier.

Suggest Edits

Has my organization ever sent an email to this sender?

If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.

and (
        (
            sender.email.domain.root_domain in $free_email_providers
            and sender.email.email not in $recipient_emails
        )
        or (
            sender.email.domain.root_domain not in $free_email_providers
            and sender.email.domain.domain not in $recipient_domains
        )
)

Low reputation link (not in tranco 1m), or a free subdomain/file host

     (
        .href_url.domain.root_domain in $free_subdomain_hosts 
        or .href_url.domain.domain in $free_file_hosts
        or .href_url.domain.root_domain not in $tranco_1m
    )

Updated 3 days ago