type.inbound
// All attachments are images or 0 attachments
and (
(
length(attachments) > 0
and all(attachments, .file_type in $file_types_images)
)
or length(attachments) == 0
)
and length(body.links) > 0
and (
any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Adobe" and .confidence in ("high")
)
or (
strings.icontains(body.current_thread.text, "adobe")
and not strings.icontains(body.current_thread.text, "adobe marketplace")
and not strings.icontains(body.current_thread.text, "adobe analytics")
and (
// Leverage topic analysis to pick up on themes
(
length(ml.nlu_classifier(body.current_thread.text).topics) == 1
and all(ml.nlu_classifier(body.current_thread.text).topics,
.name == "File Sharing and Cloud Services"
and .confidence != "low"
)
)
// Key phrases if topic anlayis doesn't match
or strings.icontains(body.current_thread.text, 'review the document')
or strings.icontains(body.current_thread.text, 'access file')
or strings.icontains(body.current_thread.text, 'pending document')
or any(body.links, strings.ilike(.display_text, 'review and sign'))
)
and length(body.current_thread.text) < 2000
)
)
and (
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
strings.ilike(beta.ocr(file.message_screenshot()).text,
"*review*",
"*sign*",
"*view*",
"open",
"*completed document*",
"*open agreement*",
"*open document*"
)
and not strings.ilike(beta.ocr(file.message_screenshot()).text,
"*view this email*",
"*view*browser*",
"*view online*",
"*business review*"
)
)
or any(body.links,
strings.ilike(.display_text,
"*review*",
"*sign*",
"*view*",
"open",
"*completed document*",
"*open agreement*",
"*open document*",
"*continue*"
)
and not strings.ilike(.display_text,
"*view this email*",
"*view*browser*",
"*view online*"
)
)
)
// Negate replies & forwards
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject,
'^\[?/{0,2}(EXT|EXTERNAL)\]?/{0,2}[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
)
)
)
)
or length(headers.references) == 0
)
// Negate certain common topics
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Advertising and Promotions",
"Events and Webinars",
"Professional and Career Development",
"Newsletters and Digests"
)
and .confidence != "low"
)
and (
(
headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
or profile.by_sender_email().days_since.last_contact > 14
)
and not profile.by_sender().any_messages_benign
// Negate affiliates, sub-products & legitimate domains
and not sender.email.domain.root_domain in (
"adobe-events.com",
"frame.io",
"nudgesecurity.io",
"adobesignsandbox.com",
"magento.com",
"workfront.com"
)
// Continued
and not any(headers.domains, .root_domain == "zohomail.com")
and not strings.iends_with(headers.message_id, 'omniture.com>')
)
or not headers.auth_summary.spf.pass
or headers.auth_summary.spf.pass is null
or not headers.auth_summary.dmarc.pass
or headers.auth_summary.dmarc.pass is null
)
// Negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.