Brand Impersonation: ShareFile

type.inbound
and (
  0 < length(body.links) < 100
  or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
  or length(filter(attachments, .file_type == "pdf")) == 1
)
and (
  strings.icontains(sender.display_name, 'ShareFile')
  or strings.icontains(subject.subject, 'ShareFile Attachments')
  or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
  or strings.icontains(sender.email.domain.domain, 'sharefile')
  // message body
  or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
  or strings.icontains(body.current_thread.text,
                       'Click here to change how often ShareFile sends emails'
  )
  or strings.icontains(body.current_thread.text,
                       'uses ShareFile to share documents securely'
  )
  or strings.icontains(body.current_thread.text,
                       'ShareFile is a tool for sending, receiving, and organizing your business files online'
  )
 or regex.icontains(body.current_thread.text,
                     'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'

  )
  or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
  or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')

  // any of the attached images contain the same message body wording
  or (
    0 < length(attachments) <= 5
    and (
      all(attachments, .file_type in $file_types_images)
      or (
        length(filter(attachments, .file_type == "pdf")) == 1
      )
    )
    and any(attachments,
            any(file.explode(.),
                strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
                or strings.icontains(.scan.ocr.raw,
                                     'Click here to change how often ShareFile sends emails'
                )
                or strings.icontains(.scan.ocr.raw,
                                     'uses ShareFile to share documents securely'
                )
                or strings.icontains(.scan.ocr.raw,
                                     'ShareFile is a tool for sending, receiving, and organizing your business files online'
                )
                or strings.icontains(.scan.ocr.raw,
                                     'Powered By Citrix ShareFile'
                )
                or regex.icontains(body.current_thread.text,
                                   '© 20\d\d ShareFile'
                )
            )
    )
  )
)
and not (
  sender.email.domain.root_domain in (
    'sf-notifications.com',
    'sharefile.com',
    'cloud.com', // previous parent org of ShareFile
    'progress.com' // progress.com is the parent org of ShareFile
  )
  and headers.auth_summary.dmarc.pass
)
// ShareFile also allows you customers to send from customer domains/mail servers
// https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
// when this happens, we cannot depend on the sender.email.domain.root_domain
// there does appear to be a custom header value added though. 
and not (
  any(headers.hops,
      .index == 0
      and any(.fields,
              (
                .name =~ "X-SMTPAPI"
                and strings.icontains(.value, 'sf_event_id')
              )
              or .name in~ ("x-sf-messageclass", "x-sf-uri")
      )
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)