type.inbound
and any(attachments,
(
// Word documents
strings.iends_with(.file_name, ".doc")
or strings.iends_with(.file_name, ".docx")
or strings.iends_with(.file_name, ".docm")
or .content_type == "application/msword"
or .content_type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
or .file_type in ("doc", "docx")
or
// Excel documents
strings.iends_with(.file_name, ".xls")
or strings.iends_with(.file_name, ".xlsx")
or strings.iends_with(.file_name, ".xlsm")
or .content_type == "application/vnd.ms-excel"
or .content_type == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
or .file_type in ("xls", "xlsx")
or
// PowerPoint documents
strings.iends_with(.file_name, ".ppt")
or strings.iends_with(.file_name, ".pptx")
or strings.iends_with(.file_name, ".pptm")
or .content_type == "application/vnd.ms-powerpoint"
or .content_type == "application/vnd.openxmlformats-officedocument.presentationml.presentation"
or .file_type in ("ppt", "pptx")
or
// Access documents
strings.iends_with(.file_name, ".accdb")
or strings.iends_with(.file_name, ".mdb")
or .content_type == "application/msaccess"
or .content_type == "application/x-msaccess"
or .content_type == "application/vnd.ms-access"
)
and any(file.explode(.),
any(.scan.yara.matches, .name == 'aes_encryption_keywords')
)
)
// Negating high-trust sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.