Common snippets

Useful snippets of MQL to make building detection rules easier.


The organization has never sent an email to this sender.

not profile.by_sender().solicited

First-time sender

The organization has never received an email from this sender.

profile.by_sender().prevalence in ("new")

Unknown sender or repeat offender

and (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    or (
      and not profile.by_sender().any_false_positives

Free subdomain link

	.href_url.domain.subdomain is not null
	and .href_url.domain.subdomain != "www"
	and .href_url.domain.root_domain in $free_subdomain_hosts

Free file / content hosting link

any(body.links, .href_url.domain.domain in $free_file_hosts)

Negate high trust senders

  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    ( in $high_trust_sender_root_domains
      and (
        any(distinct(headers.hops, .authentication_results.dmarc is not null),
            strings.ilike(.authentication_results.dmarc, "*fail")
    or not in $high_trust_sender_root_domains

URL shortener

any(body.links, .href_url.domain.root_domain in $url_shorteners)

Low reputation link

Not in tranco 1m, or a free subdomain/file host.


    .href_url.domain.root_domain not in $tranco_1m
    or (
        // free subdomain URL
        .href_url.domain.subdomain is not null
        and .href_url.domain.subdomain != "www"
        and .href_url.domain.root_domain in $free_subdomain_hosts

Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)

// exclude emails to support aliases
not any([,, recipients.bcc], 
    any(., in $support_email_aliases)

Exclude specific mailboxes

not in ("[email protected]")

Only run on specific mailboxes in a custom list in $highly_targeted_user_email_addresses

Recipient's email address is in the URL path of a link in the body

        // is the recipient's email address in the URL?
        // this method accounts for any encoding we might encounter
        // in the query_params
          strings.icontains(..href_url.url, .email.local_part)
          and strings.icontains(..href_url.url, .email.domain.domain)

Emoji in the body or subject

// has an emoji in the subject or body
and (
    regex.contains(body.plain.raw, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
    or regex.contains(subject.subject, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')

Recipient is in a user group list

any(, any($finance_users, .email ==

Sender email address == "[email protected]"

Attachment file name

any(attachments, .file_name == "foo.txt")

Attachment file name contains a specific string

    .file_type == "pdf"
    and strings.icontains(.file_name, "foobar")

Outbound message to a specific email address

and any(, == "[email protected]")

Specific mailer

strings.istarts_with(headers.mailer, "Foo")

Specific string in the current thread of the body

strings.contains(body.current_thread.text, "foo bar")

Case insensitive string search in the current thread of the body

strings.icontains(body.current_thread.text, "foo bar")

Link in the body using a specific TLD

any(body.links, .href_url.domain.tld == "ru")

Sender / Return-path mismatch !=

Match the subject using a case-insensitive regular expression

regex.icontains(subject.subject, "foo.*bar")

Inbound message to a specific recipient email address

any(, == "[email protected]")

Any DMARC authentication failures

any(headers.hops, .authentication_results.dmarc == "fail")

Failing SPF

any(headers.hops, .authentication_results.spf == "fail")

Lookalike display name (hard-coded string)

// display name is within 3 character substitutions of "Jane Doe"
strings.ilevenshtein(sender.display_name, "Jane Doe") < 3

Lookalike sender domain (hard-coded string)

// don't match exact org domain matches not in $org_domains
// sender's display name is within 3 character substitutions of a specific hard-coded domain
and strings.levenshtein(, "") < 3

Lookalike sender domain (dynamic $org_domains)

// don't match exact org domain matches not in $org_domains
// sender's display name is within 3 character substitutions of a known org domain
and any($org_domains, strings.levenshtein(, .) < 3)

Email address is a To, CC, or BCC

// [email protected] is on the to, cc, or bcc line
any([,, recipients.bcc], 
    any(., == "[email protected]")