EXPLORE
Sign In
← Back to Explore
kqlHunting

Temporary Email Addresses

raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/tempmail-abused%20emaildomains.txt'] with (format=csv, ignoreFirstRecord=False);

Detection Query

let TempEmailAddresses = externaldata (mail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/tempmail-abused%20emaildomains.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where TimeGenerated > ago(90d)
| where SenderFromDomain has_any (TempEmailAddresses) or RecipientEmailAddress has_any(TempEmailAddresses) 
//| join kind=leftouter EmailUrlInfo on NetworkMessageId
//| summarize make_list(Url) by NetworkMessageId,SenderFromAddress, RecipientEmailAddress, Subject, AttachmentCount, UrlCount
// Visit https://github.com/jkerai1/TLD-TABL-Block for Block Script

Data Sources

EmailEventsEmailUrlInfo

Platforms

office-365

Tags

office-365
Raw Content
let TempEmailAddresses = externaldata (mail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/tempmail-abused%20emaildomains.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where TimeGenerated > ago(90d)
| where SenderFromDomain has_any (TempEmailAddresses) or RecipientEmailAddress has_any(TempEmailAddresses) 
//| join kind=leftouter EmailUrlInfo on NetworkMessageId
//| summarize make_list(Url) by NetworkMessageId,SenderFromAddress, RecipientEmailAddress, Subject, AttachmentCount, UrlCount
// Visit https://github.com/jkerai1/TLD-TABL-Block for Block Script