Description

Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns

References

No references.

Sublime Security
Created Mar 3rd, 2025 • Last updated Mar 3rd, 2025
Source
type.inbound
// appears to be a reply 
and strings.istarts_with(headers.in_reply_to, '<Share-')
and strings.ends_with(headers.in_reply_to, '@odspnotify>')
and any([body.current_thread.text, body.plain.raw],
    strings.ilike(.,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*",
                  "*received a document*",
                  "*shared a document*",
                  "*shared a new document*",
                  "*shared this document*"
    )
)
and ( // but lacks other reply elements
  not (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "RES:")
    or strings.istarts_with(subject.subject, "R:")
    or strings.istarts_with(subject.subject, "ODG:")
    or strings.istarts_with(subject.subject,
                            "答复:"
    ) // response
    or strings.istarts_with(subject.subject,
                            "回复:"
    ) // reply
    or strings.istarts_with(subject.subject, "AW:")
    or strings.istarts_with(subject.subject, "TR:")
    or strings.istarts_with(subject.subject, "FWD:")
    or strings.istarts_with(subject.subject, "Resposta automática:")
    or strings.istarts_with(subject.subject, "Automatische Antwort:")
    or strings.istarts_with(subject.subject, "Autosvar:")
    or regex.icontains(subject.subject,
                       '^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
    )
  )
  // the sender is the recipient 
  // or the recipients are hidden
  or (
    (
      sender.email.email in map(recipients.to, .email.email)
      and sum([
                length(recipients.bcc),
                length(recipients.to),
                length(recipients.cc)
              ]
      ) == 1
    )
    or length(recipients.to) == 0
    or all(recipients.to, .email.email is null or .email.email == "")
  )
)

// lack a previous thread with sharepoint stuff
and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
            3 of (
              strings.icontains(., "from:"),
              strings.icontains(., "to:"),
              strings.icontains(., "sent:"),
              strings.icontains(., "date:"),
              strings.icontains(., "cc:"),
              strings.icontains(., "subject:")
            )
            and regex.icontains(.,
                                '(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
                                '(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
                                '(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
            )
)

// negate bouncebacks and undeliverables
and not any(attachments,
            .content_type in (
              "message/global-delivery-status",
              "message/delivery-status"
            )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.