type.inbound
// link boundary
and length(filter(body.links, .href_url.domain.valid)) < 25
// there are no attachments, or only small, likely signature images
and (
length(attachments) == 0
or (
length(attachments) > 0
and all(attachments, .size < 8000 and .file_type in $file_types_images)
)
)
// Screenshot indicates a docusign logo or docusign name with cta to documents
and (
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
strings.ilike(beta.ocr(file.message_screenshot()).text, "*DocuSign*")
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "DocuSign"
)
)
and (
(
(
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
regex.icontains(beta.ocr(file.message_screenshot()).text,
"((re)?view|access|sign|complete(d)?) documen(t)?(s)?",
"Your document has been completed",
"New Document Shared with you",
"Kindly click the link",
"important edocs",
// German (Document (check|check|sign|sent))
"Dokument (überprüfen|prüfen|unterschreiben|geschickt)",
)
// German (important|urgent|immediate) but not in the Microsoft link
or (
(
any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(beta.ocr(file.message_screenshot()).text,
"(wichtig|dringend|sofort)"
) > 1
)
or (
not any(body.links,
.display_text == "Erfahren Sie, warum dies wichtig ist"
and .href_url.url == "https://aka.ms/LearnAboutSenderIdentification"
)
and regex.icount(beta.ocr(file.message_screenshot()).text,
"(wichtig|dringend|sofort)"
) > 0
)
)
)
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (.display_text is null and .display_url.url is null)
)
)
or any(body.links,
not strings.ilike(.href_url.domain.root_domain, "docusign.*")
and (
regex.icontains(strings.replace_confusables(.display_text),
'(\bdocument|(view|get your) (docu|file))'
)
or strings.icontains(.display_text,
"R\u{200F}E\u{200F}V\u{200F}I\u{200F}E\u{200F}W\u{200F} \u{200F}D\u{200F}O\u{200F}C\u{200F}U\u{200F}M\u{200F}E\u{200F}N\u{200F}T\u{200F}"
)
)
)
)
)
// links with null display_text that do not go to docusign.* (indicative of hyperlinked image) or the display text contains DOCUMENT
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negate legit replies
and not (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and not profile.by_sender().any_messages_benign
// negate docusign X-Return-Path
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Return-Path"
and strings.ends_with(.value, "docusign.net")
)
)
// negate "via" senders via dmarc authentication
and (
not coalesce(headers.auth_summary.dmarc.pass
and strings.contains(sender.display_name, "via")
and sender.email.domain.domain in $org_domains,
false
)
)
Playground
Test against your own EMLs or sample data.