Common snippets

Useful snippets of MQL to make building detection rules easier.

Suggest Edits

Unsolicited (has my organization ever sent an email to this sender?)

If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.

and (
        (
            sender.email.domain.root_domain in $free_email_providers
            and sender.email.email not in $recipient_emails
        )
        or (
            sender.email.domain.root_domain not in $free_email_providers
            and sender.email.domain.domain not in $recipient_domains
        )
)

First-time sender

If it's a freemail address, like @gmail.com, check the full email address. If it's a custom domain, check the domain instead.

and (
          (
              sender.email.domain.root_domain in $free_email_providers
              and sender.email.email not in $sender_emails
          )
          or (
              sender.email.domain.root_domain not in $free_email_providers
              and sender.email.domain.domain not in $sender_domains
          )
)

Free subdomain link

any(body.links,
	.href_url.domain.subdomain is not null
	and .href_url.domain.subdomain != "www"
	and .href_url.domain.root_domain in $free_subdomain_hosts
)

Free file / content hosting link

any(body.links, .href_url.domain.domain in $free_file_hosts)

URL shortener

any(body.links, .href_url.domain.root_domain in $url_shorteners)

Low reputation link (not in tranco 1m), or a free subdomain/file host

any(body.links,

    .href_url.domain.root_domain not in $tranco_1m
    or (
        // free subdomain URL
        .href_url.domain.subdomain is not null
        and .href_url.domain.subdomain != "www"
        and .href_url.domain.root_domain in $free_subdomain_hosts
    )
)

Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)

// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc], 
    any(., .email.email in $support_email_aliases)
)

Exclude specific mailboxes

not mailbox.email.email in ("[email protected]")

Only run on specific mailboxes in a custom list

mailbox.email.email in $highly_targeted_user_email_addresses

Recipient's email address is in the URL path of a link in the body

any(body.links,
        // is the recipient's email address in the URL?
        // this method accounts for any encoding we might encounter
        // in the query_params
        any(recipients.to,
          strings.icontains(..href_url.url, .email.local_part)
          and strings.icontains(..href_url.url, .email.domain.domain)
        )
    )

Emoji in the body or subject

// has an emoji in the subject or body
and (
    regex.contains(body.plain.raw, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
    or regex.contains(subject.subject, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
)

Recipient is in a user group list

any(recipients.to, any($finance_users, .email == ..email.email))

Sender email address

sender.email.email == "[email protected]"

Attachment file name

any(attachments, .file_name == "foo.txt")

Attachment file name contains a specific string

any(attachments,
    .file_type == "pdf"
    and strings.icontains(.file_name, "foobar")
)

Outbound message to a specific email address

type.outbound
and any(recipients.to, .email.email == "[email protected]")

Specific mailer

strings.istarts_with(headers.mailer, "Foo")

Specific string in the current thread of the body

strings.contains(body.current_thread.text, "foo bar")

Link in the body using a specific TLD

any(body.links, .href_url.domain.tld == "ru")

Sender / Return-path mismatch

sender.email.email != headers.return_path.email

Match the subject using a case-insensitive regular expression

regex.icontains(subject.subject, "foo.*bar")

Inbound message to a specific recipient email address

any(recipients.to, .email.email == "[email protected]")

Any DMARC authentication failures

any(headers.hops, .authentication_results.dmarc == "fail")

Failing SPF

sender.email.email != headers.return_path.email

Lookalike display name (hard-coded string)

// display name is within 3 character substitutions of "Jane Doe"
strings.ilevenshtein(sender.display_name, "Jane Doe") < 3

Lookalike sender domain (hard-coded string)

// don't match exact org domain matches
sender.email.domain.domain not in $org_domains
// sender's display name is within 3 character substitutions of a specific hard-coded domain
and strings.levenshtein(sender.email.domain.domain, "foo.com") < 3

Lookalike sender domain (dynamic $org_domains)

// don't match exact org domain matches
sender.email.domain.domain not in $org_domains
// sender's display name is within 3 character substitutions of a known org domain
and any($org_domains, strings.levenshtein(sender.email.domain.domain, .) < 3)

Email address is a To, CC, or BCC

// [email protected] is on the to, cc, or bcc line
any([recipients.to, recipients.cc, recipients.bcc], 
    any(., .email.email == "[email protected]")
)

Updated 14 days ago