type.inbound
// from Adobe Actual
and strings.icontains(sender.display_name, 'via Adobe')
and sender.email.email == 'message@adobe.com'
and headers.auth_summary.dmarc.pass
// contains a link to open or review a share
and any(body.links, .display_text =~ "open" or .display_text =~ "review")
// not sent from a Adobe User within the org's domains
and not any($org_domains,
strings.icontains(sender.display_name,
strings.concat("@", ., ' via Adobe')
)
// sometimes the email is in parentheses
or strings.icontains(sender.display_name,
strings.concat("@", ., ') via Adobe')
)
)
and (
// the comments observed wording, using the html to make sure it's in the actor controlled section of the message
regex.icontains(body.html.raw,
'<tr>[\r\n]+<td style="color:#505050; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px; padding-top:20px;">[\r\n]+<xmp style="font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:18px; line-height:26px overflow-x:auto; white-space:pre-wrap; white-space:-moz-pre-wrap; white-space:-pre-wrap; white-space:-o-pre-wrap; word-wrap:break-word;">Please review the attached below for your reference,'
)
// the filename shared
or regex.icontains(body.html.raw,
// , ends in some random numbers
'<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>[^\<]+([]|[[:punct:]\s](?:AP|AR)?\d+[a-z]?)<\/strong></td>[\r\n]+</tr>'
)
// contains all capital letters, allowing for numbers
or regex.contains(body.html.raw,
'<td style="color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;">[\r\n]+<strong>[^\<]+<\/strong> (invited you to review|has shared) <strong>(?:[A-Z0-9_\-\s]+)<\/strong></td>[\r\n]+</tr>',
)
// contains commonly observed themes used by actors
or regex.icontains(body.html.raw,
// , ends in some random numbers
'<td style=\"color:#000000; font-family:adobe-clean, Helvetica Neue, Helvetica, Verdana, Arial, sans-serif; font-size:24px; line-height:26px; padding-top:65px;\">[\r\n]+<strong>[^\<]+<\/strong> invited you to review <strong>[^\<]*(Invoice|Payment|Agreement|Settlements|Overdue|Confidential|Transaction)[^\<]*<\/strong></td>[\r\n]+</tr>')
// the NLU detected "sender" is included within the body wrapped with new lines indicating it's a "signature"
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender" and .text not in ('Customer Support', 'SHARED ON')
// in some cases the filename is detected as the sender
// we can filter out this case when the detected "sender"
// text is the file shared
and not strings.icontains(body.current_thread.text,
strings.concat("invited you to edit\n",
.text,
"\nOpen"
)
)
),
strings.icontains(body.current_thread.text,
strings.concat("\n", .text, "\n")
)
)
// finally we'll hit the actual page and see if we can get some enrichment functions to give up some gold
or any(filter(body.links, .display_text =~ "open" or .display_text =~ "review"),
// detected as Microsoft
any(ml.logo_detect(ml.link_analysis(., mode="aggressive").screenshot).brands, .name in ("Microsoft") and .confidence == "high")
)
)
Playground
Test against your own EMLs or sample data.