type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "File Sharing and Cloud Services" and .confidence != "low"
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "cred_theft") and .confidence != "low"
)
and any(body.links,
regex.icontains(.display_text, "document", "download", "message")
and .href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.root_domain not in $org_domains
and .href_url.domain.valid
// Exclude legitimate document services
and not .href_url.domain.root_domain in $free_file_hosts
)
// suspicious sending/recipient pattern
and 1 of (
(
length(recipients.to) == 1
and recipients.to[0].email.email == sender.email.email
),
any(headers.reply_to,
.email.domain.domain in $free_email_providers
and .email.domain.domain != sender.email.domain.domain
),
(
length(recipients.to) == 1
and length(recipients.cc) == 1
and recipients.to[0].email.email == recipients.cc[0].email.email
),
(
strings.icontains(headers.return_path.local_part, "+SRS=")
or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
or any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
'+SRS='
)
)
),
// No recipients visible
(
length(recipients.to) == 0
or (
all(recipients.to, .email.domain.valid == false)
and all(recipients.cc, .email.domain.valid == false)
)
)
and length(recipients.cc) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.