type.inbound
and (
sender.email.domain.root_domain == "onmicrosoft.com"
or (
strings.icontains(sender.display_name, "onmicrosoft.com")
and sender.email.domain.valid == false
)
)
and length(recipients.to) < 2
and length(body.links) > 0
// bounce-back negations
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not any(attachments,
.content_type in (
"message/rfc822",
"message/delivery-status",
"text/calendar"
)
or (.content_type == "text/plain" and .file_extension == "ics")
)
// negating legit replies
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "FW:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
or strings.istarts_with(subject.subject, "Réponse automatique")
)
and (
length(headers.references) > 0
and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)
// negating auto-replies
and not (
any(headers.hops,
any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
and any(.fields,
.name =~ "X-MS-Exchange-Generated-Message-Source"
and .value not in ("Antispam Quarantine Agent")
)
)
)
// Microsoft has some legit onmicrosoft domains...
and not (
sender.email.domain.domain == "microsoft.onmicrosoft.com"
and headers.auth_summary.spf.pass
and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// construct the proper sender domain and check against known recipients
and not strings.concat(sender.email.domain.subdomain, ".", sender.email.domain.tld) in $recipient_domains
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not sender.email.domain.domain in $org_domains
Playground
Test against your own EMLs or sample data.