type.inbound
// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')
// SharePoint email indicators
and strings.like(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
// sender analysis
and (
(
// if the sender is not the sharepointonline.com, we can use the sender email
// to see if it is a solicited email
sender.email.domain.domain != "sharepointonline.com"
and not profile.by_sender().solicited
)
// if it is the sharepointonline sender, use the reply-to header
or (
sender.email.domain.domain =~ "sharepointonline.com"
and length(headers.reply_to) > 0
and
// a newly created domain
(
all(headers.reply_to,
.email.domain.root_domain not in $free_email_providers
and network.whois(.email.domain).days_old <= 30
and .email.email != sender.email.email
)
// is a free email provider
or all(headers.reply_to,
.email.domain.root_domain in $free_email_providers
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// no outbound emails
or not beta.profile.by_reply_to().solicited
)
// do not match if the reply_to address has been observed as a reply_to address
// of a message that has been classified as benign
and not beta.profile.by_reply_to().any_messages_benign
)
)
// link logic
and any(body.links,
.href_url.domain.root_domain == "sharepoint.com"
// it is a personal share
and (
// /g/ is only found with /personal
strings.icontains(.href_url.path, '/g/personal/')
or strings.icontains(.href_url.path, '/p/')
)
// it is either a OneNote or PDF
and (
strings.icontains(.href_url.path, '/:o:/')
or strings.icontains(.href_url.path, '/:b:/')
or strings.icontains(.href_url.path, '/:u:/')
)
)
Playground
Test against your own EMLs or sample data.