type.inbound
and (
// no previous threads
length(body.previous_threads) == 0
// or is a fake thread
or (
(length(headers.references) == 0 or headers.in_reply_to is null)
and (
subject.is_reply
or subject.is_forward
or length(body.previous_threads) > 0
)
)
)
and any(filter(html.xpath(body.html, '//a[@href]').nodes,
// blue button background, background-color and observed colors
regex.icontains(.raw,
'(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
)
),
(
// it's styled as a button
regex.icontains(.raw, 'padding')
)
// ignore links going to microsoft
and not any(.links,
(
.href_url.domain.sld in (
"microsoft",
"azure",
"outlook.office365",
"office365"
)
)
or .href_url.domain.domain in $tenant_domains
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).domain in (
"microsoft.com",
"azure.com",
"outlook.office365.com",
"office365.com"
)
or strings.parse_domain(.).domain in $tenant_domains
)
)
)
)
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
// negate attachments that contain the known microsoft content type
and not any(attachments,
strings.icontains(.content_type, 'x-microsoft-rpmsg-message')
)
// negate microsoft emails who pass auth
and not (
sender.email.domain.root_domain == "microsoft.com"
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.