type.inbound
and any(attachments,
.file_type == "unknown"
and (.content_type == "message/rfc822" or .file_extension in ('eml'))
and regex.contains(file.parse_eml(.).subject.subject,
'(shared.{0,30}with you|View Document)'
)
and 0 < length(file.parse_eml(.).body.links) < 10
and file.parse_eml(.).sender.email.email not in $recipient_emails
// exclude bounce backs & read receipts
and not strings.like(file.parse_eml(.).sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.imatch(file.parse_eml(.).subject.subject,
"(undeliverable|read:).*"
)
and not any(file.parse_eml(.).attachments,
.content_type == "message/delivery-status"
)
// negate highly trusted sender domains in the nested eml unless they fail DMARC
and (
(
file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(file.parse_eml(.).headers.hops,
.authentication_results.dmarc is not null
),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate org domains that passed dmarc
and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.