type.inbound
and (
  length(body.current_thread.text) < 1500
  // body length without disclaimer is shorter than 1500 characters
  or (
    any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
                   .name == "disclaimer"
            ),
            .text
        ),
        (length(body.current_thread.text) - length(.)) < 1500
    )
  )
)
and (
  3 of (
    strings.icontains(body.current_thread.text, "Number of Images:"),
    strings.icontains(body.current_thread.text, "Attachment File Type:"),
    strings.icontains(body.current_thread.text, "Device Model:"),
    strings.icontains(body.current_thread.text, "Device Name:"),
    strings.icontains(body.current_thread.text, "Resolution:"),
    strings.icontains(body.current_thread.text, "File Format:"),
    strings.icontains(body.current_thread.text, "Device Location:")
  )
  or (
    3 of (
      strings.ilike(body.current_thread.text, "*scan date*"),
      strings.ilike(body.current_thread.text, "*was sent from*"),
      strings.ilike(body.current_thread.text, "*of pages*"),
      strings.ilike(body.current_thread.text, "*scanned file*"),
    )
    or any(file.explode(file.message_screenshot()),
           3 of (
             strings.ilike(body.current_thread.text, "*scan date*"),
             strings.ilike(body.current_thread.text, "*was sent from*"),
             strings.ilike(body.current_thread.text, "*of pages*"),
             strings.ilike(body.current_thread.text, "*scanned file*"),
             strings.icontains(body.current_thread.text, "Number of Images:"),
             strings.icontains(body.current_thread.text,
                               "Attachment File Type:"
             ),
             strings.icontains(body.current_thread.text, "Device Name:"),
             strings.icontains(body.current_thread.text, "Device Location:"),
             strings.icontains(body.current_thread.text, "Device Model:")
           )
    )
  )
)
and (
  (
    length(filter(attachments, .file_type in ("pdf"))) == 1
    and any(attachments,
            .file_type == "pdf"
            and (
              any(file.explode(.),
                  (
                    strings.ilike(.scan.ocr.raw,
                                  "*scan date*",
                                  "*was sent from*",
                                  "*of pages*",
                                  "*verif*document*",
                                  "*scanned file*"
                    )
                    or any(ml.nlu_classifier(.scan.ocr.raw).intents,
                           .name == "cred_theft"
                    )
                    or any(ml.logo_detect(..).brands,
                           .name in ("DocuSign", "Microsoft")
                    )
                  )
                  and length(.scan.url.urls) == 1
              )
              // encrypted pdf
              or any(file.explode(.),
                     any(.scan.exiftool.fields, .key == "Encryption")
                     or (
                       .scan.entropy.entropy > 7
                       and any(.scan.strings.strings,
                               strings.icontains(., "/Encrypt")
                       )
                     )
              )
            )
    )
  )
  or length(filter(attachments, .file_type in ("doc", "docx"))) == 1
)
and sender.email.domain.domain not in~ $org_domains
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started

Attachment: Fake scan-to-email

Labels

Description

References

Playground

Share

Get Started. Today.