type.inbound
// NOTE: This rule is designed for these values to match/sync subject.base and file names
and (
// the subject contains pay related items
(
strings.icontains(subject.base, 'salary')
or regex.icontains(subject.base, '\bpay(?:out|roll|\b)')
or strings.icontains(subject.base, 'remuneration')
or strings.icontains(subject.base, 'bonus')
or strings.icontains(subject.base, 'incentive')
or strings.icontains(subject.base, 'merit\b')
or strings.icontains(subject.base, 'handbook')
or strings.icontains(subject.base, 'benefits')
or strings.icontains(subject.base, 'earnings')
or strings.icontains(subject.base, 'contract')
or regex.icontains(subject.base, 'empl[o0]yment')
)
and (
strings.icontains(subject.base, 'review')
or strings.icontains(subject.base, 'breakdown')
or strings.icontains(subject.base, 'Access Your')
or strings.icontains(subject.base, 'evaluation')
or regex.icontains(subject.base, 'eval\b')
or strings.icontains(subject.base, 'assessment')
or strings.icontains(subject.base, 'appraisal')
or strings.icontains(subject.base, 'feedback')
or strings.icontains(subject.base, 'performance')
or strings.icontains(subject.base, 'adjustment')
or strings.icontains(subject.base, 'qualification')
or strings.icontains(subject.base, 'increase')
or strings.icontains(subject.base, 'raise')
or strings.icontains(subject.base, 'change')
or strings.icontains(subject.base, 'modification')
or strings.icontains(subject.base, 'distribution')
or strings.icontains(subject.base, 'details')
or regex.icontains(subject.base, 'revis(?:ed|ion)')
or regex.icontains(subject.base, 'amend(?:ed|ment)')
or regex.icontains(subject.base, 'update(?:d| to)')
or strings.icontains(subject.base, 'plan')
or strings.icontains(subject.base, 'notification')
)
)
and 0 < length(attachments) <= 3
and any(attachments,
.file_extension in ("doc", "docx", "docm", "pdf", "pptx")
and (
strings.icontains(.file_name, 'salary')
or strings.icontains(.file_name, 'compensation')
or regex.icontains(.file_name, '\bpay(?:roll|\b)')
or strings.icontains(.file_name, 'bonus')
or strings.icontains(.file_name, 'incentive')
or strings.icontains(.file_name, 'merit\b')
or strings.icontains(.file_name, 'handbook')
or strings.icontains(.file_name, 'benefits')
or regex.icontains(.file_name, 'empl[o0]yment')
)
and (
strings.icontains(.file_name, 'review')
or strings.icontains(.file_name, 'evaluation')
or regex.icontains(.file_name, 'eval\b')
or strings.icontains(.file_name, 'assessment')
or strings.icontains(.file_name, 'appraisal')
or strings.icontains(.file_name, 'feedback')
or strings.icontains(.file_name, 'performance')
or strings.icontains(.file_name, 'adjustment')
or strings.icontains(.file_name, 'increase')
or strings.icontains(.file_name, 'increment')
or strings.icontains(.file_name, 'raise')
or strings.icontains(.file_name, 'change')
or strings.icontains(.file_name, 'modification')
or strings.icontains(.file_name, 'distribution')
or strings.icontains(.file_name, 'statement')
or regex.icontains(.file_name, 'revis(?:ed|ion)')
or regex.icontains(.file_name, 'amend(?:ed|ment)')
or regex.icontains(.file_name, 'adjust(?:ed|ment)')
or regex.icontains(.file_name, 'update(?:d| to)')
or regex.icontains(.file_name,
'(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
)
or strings.icontains(.file_name, 'contract')
or (
// file name contains recipient's email
any(recipients.to,
strings.icontains(..file_name, .email.email)
and .email.domain.valid
)
)
)
)
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.