Common snippets
Useful snippets of MQL to make building detection rules easier.
Has my organization ever sent an email to this sender?
If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
Low reputation link (not in tranco 1m), or a free subdomain/file host
(
.href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain not in $tranco_1m
)
Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)
// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc],
any(., .email.email in $support_email_aliases)
)
Exclude specific mailboxes
not mailbox.email.email in ("[email protected]")
Only run on specific mailboxes in a custom list
mailbox.email.email in $highly_targeted_user_email_addresses
Updated 2 months ago