There are a variety of named lists that can be accessed via MQL. List names are always prepended with
$ when referenced in MQL. The lists below are included in all Sublime deployments. You can also create your own arbitrary lists.
How to use lists in rules
See the lists syntax for usage instructions.
Email tenant Lists
Email tenant lists contain information from your upstream email provider(s) (Google Workspace or Microsoft 365). These lists are synced daily.
All domains associated with your organization’s message sources.
sender.email.domain.domain in $org_domains
Org display names
All display names of users in your organization with a valid mail license.
sender.display_name in $org_display_names
Google Group / Microsoft 365 Group Lists
Groups are synced daily from your upstream tenant. You can create Lists that are backed by these groups, and kept up-to-date automatically, from within your Sublime dashboard.
Historical context Lists
Historical context lists are created and managed by your Sublime instance and include historical communication information specific to your environment.
All domains anyone in your organization has sent an email to. This includes any domain that has appeared in the "to", "cc", and "bcc" fields of any outbound message.
sender.email.domain.domain not in $recipient_domains
All email addresses anyone in your organization has sent an email to. This includes all email addresses that have appeared in the "to", "cc", and "bcc" fields of any outbound message.
sender.email.email not in $recipient_emails
All domains anyone in your organization has received an email from.
sender.email.domain.domain not in $sender_domains
All email addresses anyone in your organization has received an email from.
sender.email.email not in $sender_emails
Sublime lists are maintained by the Sublime team and are open-source on GitHub.
Alexa Top 1 Million Domains
The top 1 million domains, as ranked by Alexa.
any(body.links, .href_url.domain.domain not in $alexa_1m)
Disposable Email Providers
Domains of disposable (or temporary) email providers that generate short-lived email addresses not owned by or attributable to any single user.
any(recipients.to, .email.domain.domain in $disposable_email_providers)
File extensions: common archives
Common archive file extensions, which can be used to deliver malicious files. Uncommon archive extensions are not included in this list because they can typically be blocked holistically.
any(attachments, .file_extension in~ $file_extensions_common_archives)
File extensions: macro-supported documents
File extensions of macro-supported documents, such as Microsoft Office files. Also includes file types that can load macros indirectly, eg via remote template injection.
any(attachments, .file_extension in~ $file_extensions_macros)
Free Email Providers
Domains of free email ("freemail") providers that allow anyone to create an email address. This is important to ensure the email address does not inherit the reputation of the freemail provider's domain. This list also includes the contents of
sender.email.domain.domain in $free_email_providers
Free File Hosts
Domains of free file hosting sites that allow anyone to upload and serve arbitrary files.
any(body.links, .href_url.domain.domain in $free_file_hosts)
Free Subdomain Hosts
Free subdomain sites that allow anyone to create their own subdomain and host arbitrary content. This is important to ensure the subdomains do not inherit the reputation of the root domain.
any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts)
Majestic Million Domains
The Majestic Million is a collection of 1 million domains that have the most referring subnets.
any(body.links, .href_url.domain.domain not in $majestic_million)
Top-level domains that are either frequently abused, free to register, or otherwise not generally used in the normal course of business or email communication.
any(body.links, .href_url.domain.tld in $suspicious_tlds)
Tranco Top 1 Million Domains
The top 1 million domains found by Tranco ranking, a research-oriented top sites ranking hardened against manipulation.
any(body.links, .href_url.domain.domain not in $tranco_1m)
Cisco Umbrella Top 1 Million Domains
Top 1 million most popular domains as ranked by Cisco Umbrella (based on passive DNS data).
any(body.links, .href_url.domain.domain not in $umbrella_1m)
Umbrella Top TLDs
The TLDs found in
any(body.links, .href_url.domain.tld not in $umbrella_1m_tld)
Known URL shorteners that allow anyone to host arbitrary content.
any(body.links, .href_url.domain.root_domain in $url_shorteners)
For automating the creation and updating of your own custom lists, see the Lists API Reference.
Updated 3 months ago