type.inbound and any(attachments, (.file_extension =~ "svg" or .file_extension in $file_extensions_common_archives) and any(file.explode(.), .file_extension == "svg" and "script" in~ .scan.xml.tags // unclear if this is necessary, but it's been observed // in all payloads we've seen, so we'll include it // as an extra FP precaution and any(.scan.strings.strings, strings.icontains(., "CDATA")) ) ) and ( not profile.by_sender().solicited or ( profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) )
View MQL Guide
Test against your own EMLs or sample data.
Get Started. Today.
Managed or self-managed. No MX changes.