type.inbound
and (
strings.ilike(sender.display_name, '*dropbox*')
or strings.ilevenshtein(sender.display_name, 'dropbox') <= 1
or strings.ilike(sender.email.domain.domain, '*dropbox*')
or any(body.links,
.display_url.domain.root_domain == "dropbox.com"
and .mismatched
and not .href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
)
or regex.icontains(body.current_thread.text,
'invited you to view the file ".*" on Dropbox',
'dr[o0]pb[o0]x.{0,20}share.{0,20}f[i1|][i1|l]es?'
)
)
and sender.email.domain.root_domain not in~ (
'dropbox.com',
'dropboxforum.com',
'dropboxsign.com'
)
and (
any(attachments,
.file_type in $file_types_images
and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
)
or any(body.links,
(
(
strings.ilike(.display_text,
"*review*",
"*sign*",
"*view*",
"*completed document*",
"*open agreement*",
"*open document*",
"*open file*"
)
and not strings.ilike(.display_text, "*view this email in*")
)
or (
.display_text is null
and .href_url.domain.root_domain in $free_file_hosts
)
)
and .href_url.domain.root_domain != "dropbox.com"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
or (
length(ml.logo_detect(file.message_screenshot()).brands) != 0
and all(ml.logo_detect(file.message_screenshot()).brands,
.name == "Dropbox"
)
)
)
and sender.email.email not in $recipient_emails
// negate dropbox fax (aka hellofax)
and not sender.email.domain.root_domain == 'hellofax.com'
// negate iCloud Private Message Relay
and not (
sender.email.domain.root_domain == "privaterelay.appleid.com"
or any(headers.hops, any(.fields, .name == "X-ICLOUD-HME"))
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.