← Back to Explore
sublimelowRule
Outbound message to disposable email provider
Possible exfiltration of sensitive information or files.
Detection Query
type.outbound
and any([recipients.to, recipients.cc, recipients.bcc],
any(.,
.email.domain.domain in $disposable_email_providers
and
// once lists can be updated from Feeds, we can drop this,
// as the update has been made to the upstream disposable list
.email.domain.root_domain not in (
"craigslist.org",
"gmai.com",
"gmal.com",
"gmial.com",
"spamarrest.com"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
DLPSuspicious recipient
Raw Content
name: "Outbound message to disposable email provider"
description: |
Possible exfiltration of sensitive information or files.
type: "rule"
severity: "low"
source: |
type.outbound
and any([recipients.to, recipients.cc, recipients.bcc],
any(.,
.email.domain.domain in $disposable_email_providers
and
// once lists can be updated from Feeds, we can drop this,
// as the update has been made to the upstream disposable list
.email.domain.root_domain not in (
"craigslist.org",
"gmai.com",
"gmal.com",
"gmial.com",
"spamarrest.com"
)
)
)
tags:
- "DLP"
- "Suspicious recipient"