type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension in ("eml"))
and (
// links in attached EML body
any(file.parse_eml(.).body.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path, '/common/reprocess')
and strings.icontains(.href_url.query_params, 'ctx=')
and strings.icontains(.href_url.query_params, 'sessionId=')
)
)
)
// links in PDF and HTML attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type in ("pdf", "html")
),
any(file.explode(.),
any(.scan.url.urls,
.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.path, '/common/reprocess')
and strings.icontains(.query_params, 'ctx=')
and strings.icontains(.query_params, 'sessionId=')
)
)
)
)
)
// links in ICS attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type == "ics"
or .file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
),
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(beta.file.parse_ics(.).events,
any(.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path,
'/common/reprocess'
)
and strings.icontains(.href_url.query_params,
'ctx='
)
and strings.icontains(.href_url.query_params,
'sessionId='
)
)
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.