type.inbound
and (
(
any(ml.logo_detect(file.message_screenshot()).brands, .name == "Box")
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'invited you to.{0,10}(?:view|edit|work together|collaborate)',
'items were (?:deleted|added)'
)
)
)
// Box address from footer
or 2 of (
strings.icontains(body.current_thread.text, 'About Box'),
strings.icontains(body.current_thread.text, '900 Jefferson Ave'),
strings.icontains(body.current_thread.text, 'Redwood City, CA 94063')
)
or strings.icontains(body.current_thread.text,
"who is using SignRequest.com, an electronic signature tool"
)
or strings.icontains(body.current_thread.text, "sent by SignRequest BV")
)
and not (
sender.email.domain.root_domain in (
"box.com",
"liftoff.io",
"signrequest.com"
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// not a forward or reply
and (headers.in_reply_to is null or length(headers.references) == 0)
// negation for messages traversing box.com
// happens with custom sender domains
and not (
any(headers.domains, .root_domain == "box.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.