type.inbound
and (
// matching proofpoint secure messaging
(
strings.contains(body.current_thread.text,
"Secured by Proofpoint Encryption,"
)
and not strings.iends_with(body.current_thread.text,
"Secured by Proofpoint Encryption, Copyright © 2009-2016 Proofpoint, Inc. All rights reserved."
)
)
or regex.icontains(body.current_thread.text,
('Copyright © 2009-202\d Proofpoint, Inc.')
)
or strings.icontains(body.html.raw, '<h1>Proofpoint |')
// body.html contains a suspicious title impersonating proofpoint
or (
any(html.xpath(body.html, '//title').nodes,
strings.icontains(.raw, "secure access")
and strings.icontains(.raw, 'Proofpoint')
)
)
// no links but has attachments which impersonate proofpoint
or any(attachments,
strings.icontains(file.parse_text(.).text, '<h1>Proofpoint |')
or any(html.xpath(file.parse_html(.), '//title').nodes,
strings.icontains(.raw, "secure access")
and strings.icontains(.raw, 'Proofpoint')
)
)
)
and (
// contains a link
length(body.current_thread.links) >= 1
// or an attachment (legit attachments negated in stanza below)
or length(attachments) > 0
)
// pfpt secure share uri
and not (
any(body.links,
// negate the actual dest of the legit "click here" link
.href_url.path == "/formpostdir/securereader"
// negate where the link domain is mimecast and check LA for the pfpt URI
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and (
ml.link_analysis(., mode="aggressive").effective_url.path == "/formpostdir/securereader"
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.path == "/formpostdir/securereader"
)
)
)
or (
.href_url.domain.root_domain == "mimecastprotect.com"
and .display_text =~ "Click here"
and strings.parse_domain(.href_url.query_params_decoded["domain"][0]).root_domain == sender.email.domain.root_domain
)
)
)
// negate actual SecureMessageAtt.html links that ave been quarantined by mimecast
and not any(attachments,
// pfpt attachment file
.file_name == "SecureMessageAtt.html"
// mimecast quarantine details
or (
.content_type == "message/rfc822"
and length(file.parse_eml(.).body.links) == 1
and any(file.parse_eml(.).body.links,
.display_text == "download it"
and .href_url.domain.root_domain == "mimecast.com"
)
and strings.ends_with(file.parse_eml(.).headers.message_id,
"@localhost>"
)
)
)
Playground
Test against your own EMLs or sample data.