Credential phishing: Generic document sharing

type.inbound
// exclude if it's a reply to an existing conversation
and not length(body.previous_threads) > 0
and (
  // subject contains document sharing language
  regex.icontains(subject.base,
                  '\b(has\s+sent\s+you|sent\s+you|shared\s+with\s+you|document\s+to\s+review|document\s*(number|num|#)|file\s+to\s+review|proposal\s+document|new\s+document|document\s+.{0,20}assigned|(complete|review|shared?).{0,20}agreement.{0,20}|document\s+(?:transfer|shared))\b'
  )
  or strings.icontains(subject.subject, 'document to review')
  or strings.icontains(subject.subject, 'file to review')
  or strings.icontains(subject.subject, 'sent you')
  or strings.icontains(subject.subject, 'eDocuments Notification')
  // or recipient's SLD is the subject
  or (
    subject.base == sender.email.domain.sld
    // account for near-matches
    or (
      length(subject.base) < length(sender.email.domain.sld)
      and any([subject.base], strings.icontains(sender.email.domain.sld, .))
    )
  )
)
and (
  // body contains document sharing language
  regex.icontains(body.current_thread.text,
                  '\b(document\s+I\s+sent|proposal\s+document|(proposal|documents?)\s+for\s+your\s+(approval|consideration|review|signature)|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
  )
  or strings.icontains(body.current_thread.text, 'document I sent')
  or strings.icontains(body.current_thread.text, 'proposal document')
  or strings.icontains(body.current_thread.text, 'let me know what you think')
  // account for image-as-content
  or (
    length(body.current_thread.text) < 10
    and (
      regex.icontains(beta.ocr(file.message_screenshot()).text,
                      '\b(document\s+I\s+sent|proposal\s+document|see\s+the\s+below|document.*review|file.*review|let\s+me\s+know\s+what\s+you\s+think|shared.{0,50}document)\b'
      )
      or strings.icontains(beta.ocr(file.message_screenshot()).text,
                           'document I sent'
      )
      or strings.icontains(beta.ocr(file.message_screenshot()).text,
                           'proposal document'
      )
      or strings.icontains(beta.ocr(file.message_screenshot()).text,
                           'let me know what you think'
      )
    )
  )
)
// has links that look like file attachments but aren't
and any(filter(body.links,
               // display text looks like a file
               (
                 regex.icontains(.display_text,
                                 '\.(pdf|doc|docx|goto|xls|xlsx|ppt|pptx)'
                 )
                 or regex.icontains(.display_text, '\d+kb|\d+mb')
                 or strings.icontains(.display_text, 'document')
                 or strings.icontains(.display_text, 'proposal')
                 or strings.icontains(.display_text, 'review')
                 // account for image-as-content
                 or (
                   length(body.current_thread.text) < 10
                   and length(body.links) == 1
                 )
               )
               // but the URL doesn't point to legitimate file sharing
               and .href_url.domain.root_domain not in (
                 "sharepoint.com",
                 "google.com",
                 "drive.google.com",
                 "dropbox.com",
                 "box.com",
                 "onedrive.com",
                 "1drv.ms",
                 "aka.ms",
                 "microsoft.com",
                 "office.com",
                 "docusign.com",
                 "adobesign.com",
                 "hellosign.com",
                 "signable.app"
               )
        ),
        // and points to suspicious domains
        .href_url.domain.tld in $suspicious_tlds
        or .href_url.domain.root_domain in $url_shorteners
        or .href_url.domain.domain in $url_shorteners
        or .href_url.domain.root_domain in $free_file_hosts
        or .href_url.domain.domain in $free_file_hosts
        // or it's a forms/survey platform being abused in self_service_creation_platform_domains
        or .href_url.domain.root_domain in $self_service_creation_platform_domains
        or .href_url.domain.domain in $self_service_creation_platform_domains
        // bulk mailer abuse has been observed
        or (
          .href_url.domain.root_domain in $bulk_mailer_url_root_domains
          and .href_url.domain.sld not in $org_slds
        )
        // or the page redirects to common website, observed when evasion happens
        or (
          length(ml.link_analysis(., mode="aggressive").redirect_history) > 0
          and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
        )
        // or common email marketing/tracking patterns
        or regex.match(.href_url.url, 'url\d+\..*\.com/ls/click')
        or regex.match(.href_url.path, '/ls/click|/click|/c/')
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  profile.by_sender().solicited == false
  or profile.by_sender_email().prevalence == "new"
  or profile.by_sender_email().days_since.last_contact > 30
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
  // or it's a spoof of the org_domain
  or (
    sender.email.domain.domain in $org_domains
    and not (
      headers.auth_summary.spf.pass
      or coalesce(headers.auth_summary.dmarc.pass, false)
    )
  )
)
and not profile.by_sender().any_messages_benign