TLD-TABL-Block

Prevent emails containing URLs with abused TLDs with Tenant Allow Block List

Microsoft Documentation describing TLD blocking:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide#scenario-top-level-domain-blocking

Example

Lists

Spamhaus List (original Source)

InfoSec CA List

KQLs

KQL Search

EmailUrlInfo
| extend FQDN = trim_end("(:|\\?).*", tostring(split(trim_start('http(.|)://', UrlDomain), "/")[0]))
//| project-reorder FQDN, UrlDomain
| where FQDN contains "."  // exclude singular hostnames used in local name resolution
| extend TLD = tostring(split(FQDN, ".")[-1])
| summarize count() by TLD

Onion Mail

let OnionMailAddresses = externaldata (onionmail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/OnionMail.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where SenderFromDomain has_any (OnionMailAddresses)

Cockli

let CockLiMailAddresses = externaldata (cocklimail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/cockli-abused-Email-domains.txt'] with (format=csv, ignoreFirstRecord=False);
CockLiMailAddresses
EmailEvents
| where SenderFromDomain has_any (CockLiMailAddresses)

See More

Block TLDs in Windows Firewall via Intune