Detection rules › Sublime MQL
Link: .onion From Unsolicited Sender
Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware, Credential Phishing |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and any(body.links, .href_url.domain.tld == "onion")
and not profile.by_sender_email().solicited
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains.
- inbound message
any of
body.linkswhere:- .href_url.domain.tld is 'onion'
not:
- profile.by_sender_email().solicited
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.links, body.links[].href_url.domain.tld, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: profile.by_sender_email. Reference lists: $high_trust_sender_root_domains.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
body.links[].href_url.domain.tld | equals | onion |