There are a variety of named lists that can be accessed via MQL. List names are always prepended with $ when referenced in MQL. The lists below are included in all Sublime deployments. You can also create your own arbitrary lists.

📘

How to use lists in rules

See the lists syntax for usage instructions.


Email tenant Lists

Email tenant lists contain information from your upstream email provider(s) (Google Workspace or Microsoft 365). These lists are synced daily.

Org domains

$org_domains

All domains associated with your organization’s message sources.

Example usage:

sender.email.domain.domain in $org_domains

Org display names

$org_display_names

All display names of users in your organization with a valid mail license.

Example usage:

sender.display_name in $org_display_names

Google Group / Microsoft 365 Group Lists

Groups are synced daily from your upstream tenant. You can create Lists that are backed by these groups, and kept up-to-date automatically, from within your Sublime dashboard.

Historical context Lists

Historical context lists are created and managed by your Sublime instance and include historical communication information specific to your environment.

Recipient domains

$recipient_domains

All domains anyone in your organization has sent an email to. This includes any domain that has appeared in the "to", "cc", and "bcc" fields of any outbound message.

Example usage:

sender.email.domain.domain not in $recipient_domains

Recipient emails

$recipient_emails

All email addresses anyone in your organization has sent an email to. This includes all email addresses that have appeared in the "to", "cc", and "bcc" fields of any outbound message.

Example usage:

sender.email.email not in $recipient_emails

Sender domains

$sender_domains

All domains anyone in your organization has received an email from.

Example usage:

sender.email.domain.domain not in $sender_domains

Sender emails

$sender_emails

All email addresses anyone in your organization has received an email from.

Example usage:

sender.email.email not in $sender_emails

Intelligence Lists

Intelligence lists are curated and maintained by the Sublime team.

Abuse.ch URLHaus URLs:

$abuse_ch_urlhaus_urls_trusted_reporters

URLs consumed from URLHaus reports from trusted/top reporters

any(body.links, .href_url.url in $abuse_ch_urlhaus_urls_trusted_reporters)

Abuse.ch URLHaus Domains:

$abuse_ch_urlhaus_domains_trusted_reporters

Domains consumed from URLHaus reports from trusted/top reporters

any(body.links, .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters)

Abuse.ch MalwareBazaar SHA255 Hashes:

$abuse_ch_malwarebazaar_sha256_trusted_reporters

SHA256 Hashes consumed from MalwareBazaar from trusted/top reporters.

any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters)

Note: Entries are limited to trusted reporters, but are otherwise unfiltered. We recommend using filtering logic in MQL to reduce potential false positives.

Sublime Lists

Sublime lists are maintained by the Sublime team and are open-source on GitHub.

Alexa Top 1 Million Domains

$alexa_1m

The top 1 million domains, as ranked by Alexa.

Example usage:

any(body.links, .href_url.domain.domain not in $alexa_1m)

Disposable Email Providers

$disposable_email_providers

Domains of disposable (or temporary) email providers that generate short-lived email addresses not owned by or attributable to any single user.

Example usage:

any(recipients.to, .email.domain.domain in $disposable_email_providers)

File extensions: common archives

$file_extensions_common_archives

Common archive file extensions, which can be used to deliver malicious files. Uncommon archive extensions are not included in this list because they can typically be blocked holistically.

Example usage:

any(attachments, .file_extension in~ $file_extensions_common_archives)

File extensions: macro-supported documents

$file_extensions_macros

File extensions of macro-supported documents, such as Microsoft Office files. Also includes file types that can load macros indirectly, eg via remote template injection.

Example usage:

any(attachments, .file_extension in~ $file_extensions_macros)

Free Email Providers

$free_email_providers

Domains of free email ("freemail") providers that allow anyone to create an email address. This is important to ensure the email address does not inherit the reputation of the freemail provider's domain. This list also includes the contents of $disposable_email_providers.

Example usage:

sender.email.domain.domain in $free_email_providers

Free File Hosts

$free_file_hosts

Domains of free file hosting sites that allow anyone to upload and serve arbitrary files.

Example usage:

any(body.links, .href_url.domain.domain in $free_file_hosts)

Free Subdomain Hosts

$free_subdomain_hosts

Free subdomain sites that allow anyone to create their own subdomain and host arbitrary content. This is important to ensure the subdomains do not inherit the reputation of the root domain.

Example usage:

any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts)

Majestic Million Domains

$majestic_million

The Majestic Million is a collection of 1 million domains that have the most referring subnets.

Example usage:

any(body.links, .href_url.domain.domain not in $majestic_million)

Suspicious TLDs

$suspicious_tlds

Top-level domains that are either frequently abused, free to register, or otherwise not generally used in the normal course of business or email communication.

Example usage:

any(body.links, .href_url.domain.tld in $suspicious_tlds)

Tranco Top 1 Million Domains

$tranco_1m

The top 1 million domains found by Tranco ranking, a research-oriented top sites ranking hardened against manipulation.

Example usage:

any(body.links, .href_url.domain.domain not in $tranco_1m)

Cisco Umbrella Top 1 Million Domains

$umbrella_1m

Top 1 million most popular domains as ranked by Cisco Umbrella (based on passive DNS data).

Example usage:

any(body.links, .href_url.domain.domain not in $umbrella_1m)

Umbrella Top TLDs

$umbrella_1m_tld

The TLDs found in $umbrella_1m.

Example usage:

any(body.links, .href_url.domain.tld not in $umbrella_1m_tld)

URL Shorteners

$url_shorteners

Known URL shorteners that allow anyone to host arbitrary content.

Example usage:

any(body.links, .href_url.domain.root_domain  in $url_shorteners)

API Reference

For automating the creation and updating of your own custom lists, see the Lists API Reference.