Prevent emails containing URLs with abused TLDs with Tenant Allow Block List
Microsoft Documentation describing TLD blocking:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide#scenario-top-level-domain-blocking
Spamhaus List (original Source)
EmailUrlInfo
| extend FQDN = trim_end("(:|\\?).*", tostring(split(trim_start('http(.|)://', UrlDomain), "/")[0]))
//| project-reorder FQDN, UrlDomain
| where FQDN contains "." // exclude singular hostnames used in local name resolution
| extend TLD = tostring(split(FQDN, ".")[-1])
| summarize count() by TLD
Onion Mail
let OnionMailAddresses = externaldata (onionmail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/OnionMail.txt'] with (format=csv, ignoreFirstRecord=False);
EmailEvents
| where SenderFromDomain has_any (OnionMailAddresses)
Cockli
let CockLiMailAddresses = externaldata (cocklimail: string) [@'https://raw.githubusercontent.com/jkerai1/TLD-TABL-Block/refs/heads/main/cockli-abused-Email-domains.txt'] with (format=csv, ignoreFirstRecord=False);
CockLiMailAddresses
EmailEvents
| where SenderFromDomain has_any (CockLiMailAddresses)