Common snippets

Useful snippets of MQL to make building detection rules easier.

Unsolicited (has my organization ever sent an email to this sender?)

If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.

and (
        (
            sender.email.domain.root_domain in $free_email_providers
            and sender.email.email not in $recipient_emails
        )
        or (
            sender.email.domain.root_domain not in $free_email_providers
            and sender.email.domain.domain not in $recipient_domains
        )
)

First-time sender

If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.

and (
          (
              sender.email.domain.root_domain in $free_email_providers
              and sender.email.email not in $sender_emails
          )
          or (
              sender.email.domain.root_domain not in $free_email_providers
              and sender.email.domain.domain not in $sender_domains
          )
)

Free subdomain link

any(body.links,
    .href_url.domain.subdomain is not null
    and .href_url.domain.subdomain != "www"
    and .href_url.domain.root_domain in $free_subdomain_hosts
)

Free file / content hosting link

any(body.links,
        .href_url.domain.domain in $free_file_hosts
        or .href_url.domain.root_domain in $free_file_hosts
)

URL shortener

any(body.links, .href_url.domain.root_domain in $url_shorteners)

Low reputation link (not in tranco 1m), or a free subdomain/file host

any(body.links,

    .href_url.domain.root_domain not in $tranco_1m
    or (
        // free subdomain URL
        .href_url.domain.subdomain is not null
        and .href_url.domain.subdomain != "www"
        and .href_url.domain.root_domain in $free_subdomain_hosts
    )
)

Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)

// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc], 
    any(., .email.email in $support_email_aliases)
)

Exclude specific mailboxes

not mailbox.email.email in ("[email protected]")

Only run on specific mailboxes in a custom list

mailbox.email.email in $highly_targeted_user_email_addresses