Common snippets

Useful snippets of MQL to make building detection rules easier.

Unsolicited

The organization has never sent an email to this sender.

not profile.by_sender().solicited

First-time sender

The organization has never received an email from this sender.

profile.by_sender().prevalence in ("new")

Unknown sender or repeat offender

and (
    (
      profile.by_sender().prevalence in ("new", "outlier")
      and not profile.by_sender().solicited
    )
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_false_positives
    )
)

Free subdomain link

any(body.links,
	.href_url.domain.subdomain is not null
	and .href_url.domain.subdomain != "www"
	and .href_url.domain.root_domain in $free_subdomain_hosts
)

Free file / content hosting link

any(body.links, .href_url.domain.domain in $free_file_hosts)

Negate high trust senders

  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and (
        any(distinct(headers.hops, .authentication_results.dmarc is not null),
            strings.ilike(.authentication_results.dmarc, "*fail")
        )
      )
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

URL shortener

any(body.links, .href_url.domain.root_domain in $url_shorteners)

Low reputation link

Not in tranco 1m, or a free subdomain/file host.

any(body.links,

    .href_url.domain.root_domain not in $tranco_1m
    or (
        // free subdomain URL
        .href_url.domain.subdomain is not null
        and .href_url.domain.subdomain != "www"
        and .href_url.domain.root_domain in $free_subdomain_hosts
    )
)

Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)

// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc], 
    any(., .email.email in $support_email_aliases)
)

Exclude specific mailboxes

not mailbox.email.email in ("[email protected]")

Only run on specific mailboxes in a custom list

mailbox.email.email in $highly_targeted_user_email_addresses

Recipient's email address is in the URL path of a link in the body

any(body.links,
        // is the recipient's email address in the URL?
        // this method accounts for any encoding we might encounter
        // in the query_params
        any(recipients.to,
          strings.icontains(..href_url.url, .email.local_part)
          and strings.icontains(..href_url.url, .email.domain.domain)
        )
    )

Emoji in the body or subject

// has an emoji in the subject or body
and (
    regex.contains(body.plain.raw, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
    or regex.contains(subject.subject, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
)

Recipient is in a user group list

any(recipients.to, any($finance_users, .email == ..email.email))

Sender email address

sender.email.email == "[email protected]"

Attachment file name

any(attachments, .file_name == "foo.txt")

Attachment file name contains a specific string

any(attachments,
    .file_type == "pdf"
    and strings.icontains(.file_name, "foobar")
)

Outbound message to a specific email address

type.outbound
and any(recipients.to, .email.email == "[email protected]")

Specific mailer

strings.istarts_with(headers.mailer, "Foo")

Specific string in the current thread of the body

strings.contains(body.current_thread.text, "foo bar")

Case insensitive string search in the current thread of the body

strings.icontains(body.current_thread.text, "foo bar")

Link in the body using a specific TLD

any(body.links, .href_url.domain.tld == "ru")

Sender / Return-path mismatch

sender.email.email != headers.return_path.email

Match the subject using a case-insensitive regular expression

regex.icontains(subject.subject, "foo.*bar")

Inbound message to a specific recipient email address

any(recipients.to, .email.email == "[email protected]")

Any DMARC authentication failures

any(headers.hops, .authentication_results.dmarc == "fail")

Failing SPF

any(headers.hops, .authentication_results.spf == "fail")

Lookalike display name (hard-coded string)

// display name is within 3 character substitutions of "Jane Doe"
strings.ilevenshtein(sender.display_name, "Jane Doe") < 3

Lookalike sender domain (hard-coded string)

// don't match exact org domain matches
sender.email.domain.domain not in $org_domains
// sender's display name is within 3 character substitutions of a specific hard-coded domain
and strings.levenshtein(sender.email.domain.domain, "foo.com") < 3

Lookalike sender domain (dynamic $org_domains)

// don't match exact org domain matches
sender.email.domain.domain not in $org_domains
// sender's display name is within 3 character substitutions of a known org domain
and any($org_domains, strings.levenshtein(sender.email.domain.domain, .) < 3)

Email address is a To, CC, or BCC

// [email protected] is on the to, cc, or bcc line
any([recipients.to, recipients.cc, recipients.bcc], 
    any(., .email.email == "[email protected]")
)