type.inbound
and length(attachments) == 0
and 0 < length(body.links) < 3
and strings.ilike(subject.subject, "*message from*")
and (
(
strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
and not strings.ilike(body.current_thread.text, "*unmonitored*")
)
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
strings.ilike(beta.ocr(file.message_screenshot()).text,
"*scan date*",
"*was sent from*"
)
and not strings.ilike(beta.ocr(file.message_screenshot()).text,
"*unmonitored*"
)
)
)
and (
any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
or any(body.links, .display_url.url != .href_url.url)
or any(body.links, .display_url.url is null)
)
and all(body.links,
.href_url.domain.domain not in~ $org_domains
and .href_url.domain.domain not in ("aka.ms")
)
and sender.email.domain.domain not in~ $org_domains
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.