• Sublime Core Feed
Low Severity

Link: .onion From Unsolicited Sender

Labels

Malware/Ransomware
Credential Phishing
Evasion
Social engineering
URL analysis
Header analysis
Sender analysis

Description

Detects messages containing .onion (Tor network) links from unsolicited senders that either lack proper DMARC authentication or are not from trusted domains.

References

No references.

Sublime Security
Created Jul 30th, 2025 • Last updated Jul 30th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(body.links, .href_url.domain.tld == "onion")
and not profile.by_sender_email().solicited
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started