KQL Search

Query Details

HomeAI ToolsDevice Query

Onion Mail Email Addresses

Query

let OnionMailAddresses = externaldata (onionmail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/OnionMail.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where SenderFromDomain has_any (OnionMailAddresses) or RecipientEmailAddress has_any(OnionMailAddresses) 
// See https://github.com/jkerai1/TLD-TABL-Block for Script to block

Explanation

This query is designed to identify email events involving addresses associated with the ".onion" domain, which is typically used for anonymous communication over the Tor network. Here's a simple breakdown of what the query does:

  1. Data Import: It imports a list of ".onion" email addresses from an external CSV file hosted on GitHub. This list is stored in a variable called OnionMailAddresses.

  2. Email Filtering: It then filters email events from a dataset called EmailEvents. The filter checks if the sender's domain or the recipient's email address matches any of the ".onion" addresses in the imported list.

  3. Purpose: The goal is to identify and possibly block emails that involve ".onion" addresses, which could be associated with anonymous or potentially suspicious activities. The comment in the query provides a link to a script that can be used for blocking such emails.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

EmailEvents

Keywords

OnionmailaddressesEmaileventsSenderfromdomainRecipientemailaddress

Operators

letexternaldatawithformatignoreFirstRecordwherehas_anyor

Actions