Link: File sharing impersonation with suspicious language and sending patterns

type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name == "File Sharing and Cloud Services" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("bec", "cred_theft") and .confidence != "low"
)
and any(body.links,
        regex.icontains(.display_text, "document", "download")
        and .href_url.domain.root_domain != sender.email.domain.root_domain
        and .href_url.domain.root_domain not in $tranco_1m
        and .href_url.domain.root_domain not in $org_domains
        and .href_url.domain.valid

        // Exclude legitimate document services
        and not .href_url.domain.root_domain in $free_file_hosts
)
// suspicious sending/recipient pattern
and 1 of (
  (
    length(recipients.to) == 1
    and recipients.to[0].email.email == sender.email.email
  ),
  any(headers.reply_to,
      .email.domain.domain in $free_email_providers
      and .email.domain.domain != sender.email.domain.domain
  ),
  (
    length(recipients.to) == 1
    and length(recipients.cc) == 1
    and recipients.to[0].email.email == recipients.cc[0].email.email
  ),
  (
    strings.icontains(headers.return_path.local_part, "+SRS=")
    or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
    or any(headers.hops,
           strings.icontains(.authentication_results.spf_details.designator,
                             '+SRS='
           )
    )
  ),
  // No recipients visible
  (
    length(recipients.to) == 0
    or all(recipients.to,
           .display_name in ("Undisclosed recipients", "undisclosed-recipients")
    )
  )
  and length(recipients.cc) == 0
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)