Common snippets
Useful snippets of MQL to make building detection rules easier.
Unsolicited
The organization has never sent an email to this sender.
not profile.by_sender().solicited
First-time sender
The organization has never received an email from this sender.
profile.by_sender().prevalence in ("new")
Unknown sender or repeat offender
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
Free subdomain link
any(body.links,
.href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
and .href_url.domain.root_domain in $free_subdomain_hosts
)
Free file / content hosting link
any(body.links, .href_url.domain.domain in $free_file_hosts)
Negate high trust senders
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
URL shortener
any(body.links, .href_url.domain.root_domain in $url_shorteners)
Low reputation link
Not in tranco 1m, or a free subdomain/file host.
any(body.links,
.href_url.domain.root_domain not in $tranco_1m
or (
// free subdomain URL
.href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
and .href_url.domain.root_domain in $free_subdomain_hosts
)
)
Specific domain in the body of a message
any(body.links,
.href_url.domain.domain in (
"foo.com",
"foobar.com"
)
)
Exclude email addresses or aliases in a custom list (To, CC, or BCC'd)
// exclude emails to support aliases
not any([recipients.to, recipients.cc, recipients.bcc],
any(., .email.email in $support_email_aliases)
)
Exclude specific mailboxes
not mailbox.email.email in ("[email protected]")
Only run on specific mailboxes in a custom list
mailbox.email.email in $highly_targeted_user_email_addresses
Recipient's email address is in the URL path of a link in the body
any(body.links,
// is the recipient's email address in the URL?
// this method accounts for any encoding we might encounter
// in the query_params
any(recipients.to,
strings.icontains(..href_url.url, .email.local_part)
and strings.icontains(..href_url.url, .email.domain.domain)
)
)
Emoji in the body or subject
// has an emoji in the subject or body
and (
regex.contains(body.plain.raw, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
or regex.contains(subject.subject, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
)
Recipient is in a user group list
any(recipients.to, any($finance_users, .email == ..email.email))
Sender email address
sender.email.email == "[email protected]"
Attachment file name
any(attachments, .file_name == "foo.txt")
Attachment file name contains a specific string
any(attachments,
.file_type == "pdf"
and strings.icontains(.file_name, "foobar")
)
Outbound message to a specific email address
type.outbound
and any(recipients.to, .email.email == "[email protected]")
Specific mailer
strings.istarts_with(headers.mailer, "Foo")
Specific string in the current thread of the body
strings.contains(body.current_thread.text, "foo bar")
Case insensitive string search in the current thread of the body
strings.icontains(body.current_thread.text, "foo bar")
Link in the body using a specific TLD
any(body.links, .href_url.domain.tld == "ru")
Sender / Return-path mismatch
sender.email.email != headers.return_path.email
Match the subject using a case-insensitive regular expression
regex.icontains(subject.subject, "foo.*bar")
Inbound message to a specific recipient email address
any(recipients.to, .email.email == "[email protected]")
Any DMARC authentication failures
any(headers.hops, .authentication_results.dmarc == "fail")
Failing SPF
any(headers.hops, .authentication_results.spf == "fail")
Lookalike display name (hard-coded string)
// display name is within 3 character substitutions of "Jane Doe"
strings.ilevenshtein(sender.display_name, "Jane Doe") < 3
Lookalike sender domain (hard-coded string)
// don't match exact org domain matches
sender.email.domain.domain not in $org_domains
// sender's display name is within 3 character substitutions of a specific hard-coded domain
and strings.levenshtein(sender.email.domain.domain, "foo.com") < 3
Lookalike sender domain (dynamic $org_domains)
// don't match exact org domain matches
sender.email.domain.domain not in $org_domains
// sender's display name is within 3 character substitutions of a known org domain
and any($org_domains, strings.levenshtein(sender.email.domain.domain, .) < 3)
Email address is a To, CC, or BCC
// [email protected] is on the to, cc, or bcc line
any([recipients.to, recipients.cc, recipients.bcc],
any(., .email.email == "[email protected]")
)
Email has a link in the body or an attachment
// set for a minimum number
and length(body.links) > 0) or (length(attachments) > 0
Email has between X and Y links
// set for an upper and lower bound
and (0 < length(body.links) < 40)
Updated 17 days ago