type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and (
  any(attachments,
      .file_type in $file_types_images
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
  )
  or any(attachments,
         .file_type in $file_types_images
         and any(file.explode(.),
                 strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
                 and length(.scan.ocr.raw) < 1500
         )
  )
)
and any(attachments,
        .file_type in $file_types_images
        and any(file.explode(.),
                length(filter([
                                "password",
                                "unread messages",
                                "Shared Documents",
                                "expiration",
                                "expire",
                                "expiring",
                                "kindly",
                                "renew",
                                "review",
                                "emails failed",
                                "kicked out",
                                "prevented",
                                "storage",
                                "required now",
                                "cache",
                                "qr code",
                                "security update",
                                "invoice",
                                "retrieve",
                                "blocked"
                              ],
                              strings.icontains(..scan.ocr.raw, .)
                       )
                ) >= 2
                or (
                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
                      .name == "cred_theft" and .confidence == "high"
                  )
                  and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
                )
        )
)
and (
  not any(headers.hops,
          .authentication_results.compauth.verdict is not null
          and .authentication_results.compauth.verdict == "pass"
          and sender.email.domain.domain in (
            "microsoft.com",
            "sharepointonline.com"
          )
  )
)

// negate angelbeat urls and microsoft disclaimer links
and (
  length(body.links) > 0
  and not all(body.links,
              .href_url.domain.root_domain in (
                "abeatinfo.com",
                "abeatinvite.com",
                "aka.ms",
                "angelbeat.com"
              )
  )
)

// negate replies
and (
  (
    (
      length(headers.references) > 0
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
    and not (
      (
        strings.istarts_with(subject.subject, "RE:")
        or strings.istarts_with(subject.subject, "R:")
        or strings.istarts_with(subject.subject, "ODG:")
        or strings.istarts_with(subject.subject, "答复:")
        or strings.istarts_with(subject.subject, "AW:")
        or strings.istarts_with(subject.subject, "TR:")
        or strings.istarts_with(subject.subject, "FWD:")
        or regex.icontains(subject.subject,
                           '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
        )
      )
    )
  )
  or length(headers.references) == 0
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started