type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
// use the display text of the link to determine the name of the file
any(filter(body.links,
.href_url.domain.domain not in $tenant_domains
and (
.href_url.domain.root_domain == "sharepoint.com"
or .href_url.domain.root_domain == "1drv.ms"
// handle urls with mimecast rewriting
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
'.sharepoint.com'
)
)
)
and .display_text != "Open"
),
// the document name is the same as the org name
// as determined by the footer
(
strings.icontains(body.current_thread.text,
strings.concat('This email is generated through ',
.display_text
)
)
and strings.icontains(body.current_thread.text,
strings.concat("\'s use of Microsoft 365 and may contain content that is controlled by ",
.display_text
)
)
)
or .display_text =~ sender.email.domain.sld
)
)
Playground
Test against your own EMLs or sample data.