Common snippets

Useful snippets of MQL to make building detection rules easier.

Suggest Edits

Has my organization ever sent an email to this sender?

If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.

and (
        (
            sender.email.domain.root_domain in $free_email_providers
            and sender.email.email not in $recipient_emails
        )
        or (
            sender.email.domain.root_domain not in $free_email_providers
            and sender.email.domain.domain not in $recipient_domains
        )
)

Low reputation link (not in tranco 1m), or a free subdomain/file host

     (
        .href_url.domain.root_domain in $free_subdomain_hosts 
        or .href_url.domain.domain in $free_file_hosts
        or .href_url.domain.root_domain not in $tranco_1m
    )

Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)

// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc], 
    any(., .email.email in $support_email_aliases)
)

Exclude specific mailboxes

not mailbox.email.email in ("[email protected]")

Only run on specific mailboxes in a custom list

mailbox.email.email in $highly_targeted_user_email_addresses

Updated 2 months ago