← Back to Explore
sublimeExclusion
Microsoft Defender Attack phishing simulation
Identifies phishing simulations sent by Microsoft Defender Attack simulation training and excludes the message from live analysis.
Detection Query
type.inbound
and length(headers.hops) == 1
and (
(
length(body.links) > 0
and any(body.links,
.href_url.domain.root_domain in (
"attemplate.com",
"bankmenia.com",
"bankmenia.de",
"bankmenia.es",
"bankmenia.fr",
"bankmenia.it",
"bankmenia.org",
"banknown.de",
"banknown.es",
"banknown.fr",
"banknown.it",
"banknown.org",
"browsersch.com",
"browsersch.de",
"browsersch.es",
"browsersch.fr",
"browsersch.it",
"browsersch.org",
"docdeliveryapp.com",
"docdeliveryapp.net",
"docstoreinternal.com",
"docstoreinternal.net",
"doctorican.de",
"doctorican.es",
"doctorican.fr",
"doctorican.it",
"doctorican.org",
"doctrical.com",
"doctrical.de",
"doctrical.es",
"doctrical.fr",
"doctrical.it",
"doctrical.org",
"doctricant.com",
"doctrings.com",
"doctrings.de",
"doctrings.es",
"doctrings.fr",
"doctrings.it",
"doctrings.org",
"exportants.com",
"exportants.de",
"exportants.es",
"exportants.fr",
"exportants.it",
"exportants.org",
"financerta.com",
"financerta.de",
"financerta.es",
"financerta.fr",
"financerta.it",
"financerta.org",
"financerts.com",
"financerts.de",
"financerts.es",
"financerts.fr",
"financerts.it",
"financerts.org",
"hardwarecheck.net",
"hrsupportint.com",
"mcsharepoint.com",
"mesharepoint.com",
"officence.com",
"officenced.com",
"officences.com",
"officentry.com",
"officested.com",
"passwordle.de",
"passwordle.fr",
"passwordle.it",
"passwordle.org",
"payrolltooling.com",
"payrolltooling.net",
"prizeably.com",
"prizeably.de",
"prizeably.es",
"prizeably.fr",
"prizeably.it",
"prizeably.org",
"prizegiveaway.net",
"prizegives.com",
"prizemons.com",
"prizesforall.com",
"prizewel.com",
"prizewings.com",
"resetts.de",
"resetts.es",
"resetts.fr",
"resetts.it",
"resetts.org",
"salarytoolint.com",
"salarytoolint.net",
"securembly.com",
"securembly.de",
"securembly.es",
"securembly.fr",
"securembly.it",
"securembly.org",
"securetta.de",
"securetta.es",
"securetta.fr",
"securetta.it",
"shareholds.com",
"sharepointen.com",
"sharepointin.com",
"sharepointle.com",
"sharesbyte.com",
"sharession.com",
"sharestion.com",
"supportin.de",
"supportin.es",
"supportin.fr",
"supportin.it",
"supportres.de",
"supportres.es",
"supportres.fr",
"supportres.it",
"supportres.org",
"techidal.com",
"techidal.de",
"techidal.fr",
"techidal.it",
"techniel.de",
"techniel.es",
"techniel.fr",
"techniel.it",
"templateau.com",
"templatent.com",
"templatern.com",
"windocyte.com"
)
)
)
or sender.email.domain.domain in (
"attemplate.com",
"bankmenia.com",
"bankmenia.de",
"bankmenia.es",
"bankmenia.fr",
"bankmenia.it",
"bankmenia.org",
"banknown.de",
"banknown.es",
"banknown.fr",
"banknown.it",
"banknown.org",
"browsersch.com",
"browsersch.de",
"browsersch.es",
"browsersch.fr",
"browsersch.it",
"browsersch.org",
"docdeliveryapp.com",
"docdeliveryapp.net",
"docstoreinternal.com",
"docstoreinternal.net",
"doctorican.de",
"doctorican.es",
"doctorican.fr",
"doctorican.it",
"doctorican.org",
"doctrical.com",
"doctrical.de",
"doctrical.es",
"doctrical.fr",
"doctrical.it",
"doctrical.org",
"doctricant.com",
"doctrings.com",
"doctrings.de",
"doctrings.es",
"doctrings.fr",
"doctrings.it",
"doctrings.org",
"exportants.com",
"exportants.de",
"exportants.es",
"exportants.fr",
"exportants.it",
"exportants.org",
"financerta.com",
"financerta.de",
"financerta.es",
"financerta.fr",
"financerta.it",
"financerta.org",
"financerts.com",
"financerts.de",
"financerts.es",
"financerts.fr",
"financerts.it",
"financerts.org",
"hardwarecheck.net",
"hrsupportint.com",
"mcsharepoint.com",
"mesharepoint.com",
"officence.com",
"officenced.com",
"officences.com",
"officentry.com",
"officested.com",
"passwordle.de",
"passwordle.fr",
"passwordle.it",
"passwordle.org",
"payrolltooling.com",
"payrolltooling.net",
"prizeably.com",
"prizeably.de",
"prizeably.es",
"prizeably.fr",
"prizeably.it",
"prizeably.org",
"prizegiveaway.net",
"prizegives.com",
"prizemons.com",
"prizesforall.com",
"prizewel.com",
"prizewings.com",
"resetts.de",
"resetts.es",
"resetts.fr",
"resetts.it",
"resetts.org",
"salarytoolint.com",
"salarytoolint.net",
"securembly.com",
"securembly.de",
"securembly.es",
"securembly.fr",
"securembly.it",
"securembly.org",
"securetta.de",
"securetta.es",
"securetta.fr",
"securetta.it",
"shareholds.com",
"sharepointen.com",
"sharepointin.com",
"sharepointle.com",
"sharesbyte.com",
"sharession.com",
"sharestion.com",
"supportin.de",
"supportin.es",
"supportin.fr",
"supportin.it",
"supportres.de",
"supportres.es",
"supportres.fr",
"supportres.it",
"supportres.org",
"techidal.com",
"techidal.de",
"techidal.fr",
"techidal.it",
"techniel.de",
"techniel.es",
"techniel.fr",
"techniel.it",
"templateau.com",
"templatent.com",
"templatern.com",
"windocyte.com"
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Microsoft Defender Attack phishing simulation"
description: "Identifies phishing simulations sent by Microsoft Defender Attack simulation training and excludes the message from live analysis."
type: "exclusion"
source: |
type.inbound
and length(headers.hops) == 1
and (
(
length(body.links) > 0
and any(body.links,
.href_url.domain.root_domain in (
"attemplate.com",
"bankmenia.com",
"bankmenia.de",
"bankmenia.es",
"bankmenia.fr",
"bankmenia.it",
"bankmenia.org",
"banknown.de",
"banknown.es",
"banknown.fr",
"banknown.it",
"banknown.org",
"browsersch.com",
"browsersch.de",
"browsersch.es",
"browsersch.fr",
"browsersch.it",
"browsersch.org",
"docdeliveryapp.com",
"docdeliveryapp.net",
"docstoreinternal.com",
"docstoreinternal.net",
"doctorican.de",
"doctorican.es",
"doctorican.fr",
"doctorican.it",
"doctorican.org",
"doctrical.com",
"doctrical.de",
"doctrical.es",
"doctrical.fr",
"doctrical.it",
"doctrical.org",
"doctricant.com",
"doctrings.com",
"doctrings.de",
"doctrings.es",
"doctrings.fr",
"doctrings.it",
"doctrings.org",
"exportants.com",
"exportants.de",
"exportants.es",
"exportants.fr",
"exportants.it",
"exportants.org",
"financerta.com",
"financerta.de",
"financerta.es",
"financerta.fr",
"financerta.it",
"financerta.org",
"financerts.com",
"financerts.de",
"financerts.es",
"financerts.fr",
"financerts.it",
"financerts.org",
"hardwarecheck.net",
"hrsupportint.com",
"mcsharepoint.com",
"mesharepoint.com",
"officence.com",
"officenced.com",
"officences.com",
"officentry.com",
"officested.com",
"passwordle.de",
"passwordle.fr",
"passwordle.it",
"passwordle.org",
"payrolltooling.com",
"payrolltooling.net",
"prizeably.com",
"prizeably.de",
"prizeably.es",
"prizeably.fr",
"prizeably.it",
"prizeably.org",
"prizegiveaway.net",
"prizegives.com",
"prizemons.com",
"prizesforall.com",
"prizewel.com",
"prizewings.com",
"resetts.de",
"resetts.es",
"resetts.fr",
"resetts.it",
"resetts.org",
"salarytoolint.com",
"salarytoolint.net",
"securembly.com",
"securembly.de",
"securembly.es",
"securembly.fr",
"securembly.it",
"securembly.org",
"securetta.de",
"securetta.es",
"securetta.fr",
"securetta.it",
"shareholds.com",
"sharepointen.com",
"sharepointin.com",
"sharepointle.com",
"sharesbyte.com",
"sharession.com",
"sharestion.com",
"supportin.de",
"supportin.es",
"supportin.fr",
"supportin.it",
"supportres.de",
"supportres.es",
"supportres.fr",
"supportres.it",
"supportres.org",
"techidal.com",
"techidal.de",
"techidal.fr",
"techidal.it",
"techniel.de",
"techniel.es",
"techniel.fr",
"techniel.it",
"templateau.com",
"templatent.com",
"templatern.com",
"windocyte.com"
)
)
)
or sender.email.domain.domain in (
"attemplate.com",
"bankmenia.com",
"bankmenia.de",
"bankmenia.es",
"bankmenia.fr",
"bankmenia.it",
"bankmenia.org",
"banknown.de",
"banknown.es",
"banknown.fr",
"banknown.it",
"banknown.org",
"browsersch.com",
"browsersch.de",
"browsersch.es",
"browsersch.fr",
"browsersch.it",
"browsersch.org",
"docdeliveryapp.com",
"docdeliveryapp.net",
"docstoreinternal.com",
"docstoreinternal.net",
"doctorican.de",
"doctorican.es",
"doctorican.fr",
"doctorican.it",
"doctorican.org",
"doctrical.com",
"doctrical.de",
"doctrical.es",
"doctrical.fr",
"doctrical.it",
"doctrical.org",
"doctricant.com",
"doctrings.com",
"doctrings.de",
"doctrings.es",
"doctrings.fr",
"doctrings.it",
"doctrings.org",
"exportants.com",
"exportants.de",
"exportants.es",
"exportants.fr",
"exportants.it",
"exportants.org",
"financerta.com",
"financerta.de",
"financerta.es",
"financerta.fr",
"financerta.it",
"financerta.org",
"financerts.com",
"financerts.de",
"financerts.es",
"financerts.fr",
"financerts.it",
"financerts.org",
"hardwarecheck.net",
"hrsupportint.com",
"mcsharepoint.com",
"mesharepoint.com",
"officence.com",
"officenced.com",
"officences.com",
"officentry.com",
"officested.com",
"passwordle.de",
"passwordle.fr",
"passwordle.it",
"passwordle.org",
"payrolltooling.com",
"payrolltooling.net",
"prizeably.com",
"prizeably.de",
"prizeably.es",
"prizeably.fr",
"prizeably.it",
"prizeably.org",
"prizegiveaway.net",
"prizegives.com",
"prizemons.com",
"prizesforall.com",
"prizewel.com",
"prizewings.com",
"resetts.de",
"resetts.es",
"resetts.fr",
"resetts.it",
"resetts.org",
"salarytoolint.com",
"salarytoolint.net",
"securembly.com",
"securembly.de",
"securembly.es",
"securembly.fr",
"securembly.it",
"securembly.org",
"securetta.de",
"securetta.es",
"securetta.fr",
"securetta.it",
"shareholds.com",
"sharepointen.com",
"sharepointin.com",
"sharepointle.com",
"sharesbyte.com",
"sharession.com",
"sharestion.com",
"supportin.de",
"supportin.es",
"supportin.fr",
"supportin.it",
"supportres.de",
"supportres.es",
"supportres.fr",
"supportres.it",
"supportres.org",
"techidal.com",
"techidal.de",
"techidal.fr",
"techidal.it",
"techniel.de",
"techniel.es",
"techniel.fr",
"techniel.it",
"templateau.com",
"templatent.com",
"templatern.com",
"windocyte.com"
)
)