You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
sender.email.domain.root_domain in $high_trust_sender_root_domains
82
-
and not headers.auth_summary.dmarc.pass
83
-
)
84
-
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
85
-
)
6
+
source: "type.inbound\nand length(attachments) < 8\nand (\n // fake file attachment preview in original email\n any(attachments,\n .file_type in $file_types_images\n and (\n any(ml.logo_detect(.).brands, .name == \"FakeAttachment\")\n or (\n .size < 30000\n and any(file.explode(.),\n strings.icontains(.scan.ocr.raw, 'sent you')\n // the attached image includes a filesize string\n and regex.icontains(.scan.ocr.raw,\n '\\b\\d+.\\d{1,2}\\s?(k|m)b(\\s|$)'\n )\n )\n )\n )\n )\n // message body/screenhot\n or (\n any(ml.logo_detect(beta.message_screenshot()).brands,\n .name == \"FakeAttachment\"\n )\n or (\n length(body.current_thread.text) < 2000\n and strings.icontains(body.current_thread.text, 'sent you')\n // the attached image includes a filesize string\n and regex.icontains(body.current_thread.text,\n '\\b\\d+.\\d{1,2}\\s?(k|m)b(\\s|$)'\n )\n )\n )\n // Suspicious table with file size indicators \n or regex.contains(body.html.raw,\n \"<table[^>]*>.*?<img[^>]+src=[\\\"']cid:[^\\\"']+[\\\"'][^>]*>.*?\\\\.(pdf|doc(x)|xls(x)?).*?<font[^>]*>\\\\s*\\\\d{1,4}\\\\.\\\\d{1,2}\\\\s*k[bB]\"\n )\n\n // fake file attachment preview in attached EML\n or any(attachments,\n (.content_type == \"message/rfc822\" or .file_extension == \"eml\")\n and any(file.parse_eml(.).attachments,\n .file_type in $file_types_images\n and (\n any(ml.logo_detect(.).brands, .name == \"FakeAttachment\")\n or (\n .size < 30000\n and any(file.explode(.),\n strings.icontains(.scan.ocr.raw, 'sent you')\n // the attached image includes a filesize string\n and regex.icontains(.scan.ocr.raw,\n '\\b\\d+.\\d{1,2}\\s?(k|m)b(\\s|$)'\n )\n )\n )\n )\n )\n )\n)\nand not (\n (\n strings.istarts_with(subject.subject, \"RE:\")\n or strings.istarts_with(subject.subject, \"R:\")\n or strings.istarts_with(subject.subject, \"ODG:\")\n or strings.istarts_with(subject.subject, \"答复:\")\n or strings.istarts_with(subject.subject, \"AW:\")\n or strings.istarts_with(subject.subject, \"TR:\")\n or strings.istarts_with(subject.subject, \"FWD:\")\n or regex.imatch(subject.subject, '(\\[[^\\]]+\\]\\s?){0,3}(re|fwd?)\\s?:')\n or regex.imatch(subject.subject,\n '^\\[?(EXT|EXTERNAL)\\]?[: ]\\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'\n )\n )\n and (\n length(headers.references) > 0\n or any(headers.hops, any(.fields, strings.ilike(.name, \"In-Reply-To\")))\n )\n)\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
0 commit comments