type.inbound
and
// message is from google actual
sender.email.domain.domain == 'google.com'
and (
sender.email.local_part == "drive-shares-noreply"
or sender.email.local_part == "drive-shares-dm-noreply"
)
// contains a comment
and strings.icontains(body.html.raw,
'<div style="margin-top:24px; color:#5F6368">'
)
// those comments contain what appears to be an email
and (
regex.icontains(body.html.raw,
'</div>\s*<div style="margin-top:24px; color:#5F6368">\s*(?:RE|FWD?)\s*:'
)
// the comment contains wording that relates to sharing a file
// the list before being sent through regexp-assemble
// "request to view", "shared a file", "sent you a file",
// "file access request", "view shared document",
// "pending file request", "document shared", "view a file",
// "file sent to you", "invited to view", "file access invite",
// "click to view", "open shared file", "drive file request"
or regex.icontains(body.html.raw,
'</div>\s*<div style="margin-top:24px; color:#5F6368">[^<]*(?:<[^\/][^<]*)*(?:file (?:access (?:request|invite)|sent to you)|(?:s(?:ent you|hared) a|open shared) file|d(?:rive file request|ocument shared)|(?:invited|request|click) to view|view (?:shared document|a file)|pending file request)[^<]*(?:<[^\/][^<]*)*</div>\s*</td>'
)
)
// not where the sender display name of the message is within org_display_names
and not (
// the message is from google actual
sender.email.email in (
'comments-noreply@docs.google.com',
'drive-shares-dm-noreply@google.com',
'drive-shares-noreply@google.com',
'calendar-notification@google.com'
)
and headers.auth_summary.dmarc.pass
// but the sender display name is within org_display_names
and (
any(regex.iextract(sender.display_name,
'^(?P<sender_display_name>.*)\((?:via )?Google'
),
.named_groups["sender_display_name"] in~ $org_display_names
)
or (
length(headers.reply_to) == 1
and all(headers.reply_to, .email.domain.domain in $org_domains)
)
)
)
Playground
Test against your own EMLs or sample data.