type.inbound
and (
regex.icontains(sender.display_name, 'Aquent\b')
// look for Aquent address from footer, or current address being used by actors
or (
strings.icontains(body.current_thread.text, 'Aquent')
and (
(
strings.icontains(body.current_thread.text, '2884 Sand Hill Road')
and strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025')
)
or (
strings.icontains(body.current_thread.text, '501 Boylston St')
and strings.icontains(body.current_thread.text, 'Boston, MA 02116')
)
)
)
)
and not (
sender.email.domain.root_domain in $org_domains
or (
sender.email.domain.root_domain in (
"aquent.com",
"dice.com",
"roberthalf.com",
"roberthalf.be",
"service-now.com",
"protiviti.com",
"atlassian.net",
"workday.com",
"myworkday.com",
"rapdev.io",
"immersivelabs.com",
"outsidegc.com"
)
and headers.auth_summary.dmarc.pass
)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Advertising and Promotions" and .confidence != "low"
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.