type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
// use the display text of the link to determine the name of the file
any(filter(body.current_thread.links,
.href_url.domain.domain not in $tenant_domains
and (
.href_url.domain.root_domain == "sharepoint.com"
or .href_url.domain.root_domain == "1drv.ms"
// handle urls with mimecast rewriting
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
'.sharepoint.com'
)
)
)
and .display_text != "Open"
),
.display_text =~ sender.email.domain.sld
or any(regex.extract(body.current_thread.text,
"generated through (?P<org_name>[^']+)'s use"
),
// the document name is the same as the org name as determined by the footer
// this checks that the display_text starts with the org_name
strings.istarts_with(.named_groups["org_name"], ..display_text)
// this checks that the org_name is a substring of the display_text
// it is in effect the "reverse" of the above check
or (
(
strings.istarts_with(..display_text, .named_groups["org_name"])
or strings.iends_with(..display_text,
.named_groups["org_name"]
)
)
and (
length(.named_groups["org_name"]) / (
length(..display_text) * 1.0
)
) > 0.45
)
)
)
)
Playground
Test against your own EMLs or sample data.