type.inbound
and (
// matching proofpoint secure messaging
strings.contains(body.current_thread.text,
"Secured by Proofpoint Encryption,"
)
or regex.icontains(body.current_thread.text,
('Copyright © 2009-202\d Proofpoint, Inc.')
)
)
and length(body.current_thread.links) >= 1
// pfpt secure share uri
and not (
any(body.links,
// negate the actual dest of the legit "click here" link
.href_url.path == "/formpostdir/securereader"
// negate where the link domain is mimecast and check LA for the pfpt URI
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.path == "/formpostdir/securereader"
)
)
)
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and .display_text =~ "Click here"
and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
)
)
)
// negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
and not any(attachments,
// pfpt attachment file
.file_name == "SecureMessageAtt.html"
// mimecast quarantine details
or (
.content_type == "message/rfc822"
and length(file.parse_eml(.).body.links) == 1
and any(file.parse_eml(.).body.links,
.display_text == "download it"
and .href_url.domain.root_domain == "mimecast.com"
)
and strings.ends_with(file.parse_eml(.).headers.message_id,
"@localhost>"
)
)
)
Playground
Test against your own EMLs or sample data.