Documentation

MQL Detection Rules

Suggest Edits

Overview

Message Query Language (MQL) Detection Rules run on live email flow and are used for identifying phishing attacks, data loss prevention (DLP), and policy enforcement.

You can view some of the open-source detection rules available for use today in the Sublime rules Github repo.

Here is a non-exhaustive list of some of the categories of phishing attacks and techniques that can be detected today:

  • Executive impersonation
  • Brand impersonation
  • Vendor impersonation
  • Sextortion
  • Homoglyph and lookalike domains
  • Gift card scams
  • Bitcoin scams
  • Free file hosting services
  • Free subdomains
  • Spoofed messages
  • URL shorteners
  • Suspicious Office 365 app authorization requests
  • COVID-19 scams

Get started

Create your first detection rule by visiting Rules > Detection Rules and clicking "New rule".

You can also create and share detection rules in the MQL Playground.

Updated 11 days ago