type.inbound
// use distinct "urls" (without query params) to determine number of links
and 0 < length(distinct(body.links,
// strip out query params to determine
// the unique number of links
strings.concat(.href_url.scheme,
.href_url.domain.domain,
.href_url.path
)
)
) <= 8
// HR language found in subject
and (
(
length(subject.subject) > 20
and regex.icontains(subject.subject,
'(time.{0,4}sheet)|(employ|complete|update(?:d| to)).{0,30}(benefit|handbook|comp\b|compensation|salary|\bpay(?:roll)?\b|policy|conduct|acknowl|PTO|vacation|assess|eval)|(HR|Human Resources).{0,5}ADM[il]N',
// shorten the distance to 3 or less words for the word "review"
// special handling of benefits
'\breview\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,3}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)',
// handle the year in the subject, and expand the distance to 5 or less words
'20\d{2}\b(?:\w+(?:\s\w+)?|[[:punct:]]+|\s+){0,5}(benefits?(?:$|.?(?:statement|enrollment))|handbook|comp\b|compensation|salary|bonus|\bpay(?:roll)?\b)'
)
)
// or HR language found in sender
or (
regex.icontains(sender.display_name,
'(Employ|Time.{0,3}sheet|\bHR\b|Human R|Handbook|\bIT[- ]|Help.{0,3}Desk)|Internal.?Comm|Enroll?ment Service|Open Enroll?ment|Admin Support'
)
and not regex.icontains(sender.display_name,
"forum|employee voice|briefs|newsletter|screening"
)
and not regex.icontains(sender.display_name,
"HR (new|vue|view|tech admin|global)"
)
and not strings.icontains(sender.display_name, "get it")
)
// or assessment report language found in body
or (
regex.icontains(body.current_thread.text,
'20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report'
)
)
// or HR department language found in body via NLU
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("org", "sender")
and regex.icontains(.text, '\bhr\b', 'human resources', 'operations department')
)
)
// suspicious display_text
and (
any(body.links,
regex.icontains(.display_text,
'((verify|view|click|download|goto|keep|Vιew|release|access|open|allow|deny).{0,10}(request|here|report|attachment|current|download|fax|file|document|message|same|doc|access)s?)'
)
and not strings.ilike(.display_text, "*unsub*")
and not strings.ilike(.href_url.url, "*privacy-policy*")
and not strings.ilike(.display_text, "*REGISTER*")
// from a low reputation link
and (
not .href_url.domain.root_domain in $org_domains
and (
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
)
or
// or mass mailer link, masks the actual URL
.href_url.domain.root_domain in (
"hubspotlinks.com",
"mandrillapp.com",
"sendgrid.net",
"rs6.net",
"mailanyone.net",
"perspectivefunnel.co"
)
)
)
)
// or credential theft confidence high
or (
length(body.links) > 0
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and not sender.email.domain.root_domain in (
"servicenowservices.com",
"workplaceextras.com",
"tempo.io",
"or.us",
"proofpoint.com"
)
)
or any(filter(attachments, .content_type == "message/rfc822" or .file_extension in ('eml')),
any(file.parse_eml(.).attachments,
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
)
)
// negate messages where "click here" was found and was a link actually an unsub link
// this method allows for matching on other 'click here' links if they are present
and not (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) > 0
and (
length(filter(body.links, strings.icontains(.display_text, 'click here'))) == strings.icount(body.current_thread.text,
'click here to unsubscribe'
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in $org_domains
)
and not headers.auth_summary.dmarc.pass
)
or (
sender.email.domain.root_domain not in $high_trust_sender_root_domains
and sender.email.domain.root_domain not in $org_domains
)
)
// not from sharepointonline actual
and not (
sender.email.domain.root_domain == "sharepointonline.com"
and strings.ends_with(headers.message_id, '@odspnotify>')
and strings.starts_with(headers.message_id, "<Spo")
)
// netate common FP topics
and not any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Events and Webinars",
"Advertising and Promotions",
"Newsletters and Digests"
)
and .confidence == "high"
)
// negate common helpdesk/HR platforms
and not any(headers.domains,
.root_domain in (
"freshemail.io",
"zendesk.com",
"employeenavigator.com",
"saashr.com" // Kronos owned Saas HR offering
)
)
// negate observed HR newsletters
and not (
any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
"constantcontact.com"
)
)
and strings.starts_with(sender.email.local_part, 'newsletters-hr')
and sender.email.domain.root_domain == "ccsend.com"
)
// the message is unsolicited and no false positives
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or (
profile.by_sender().any_messages_malicious_or_spam
and profile.by_sender().any_messages_benign
and (not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass)
)
)
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.