How to detect manual outbound forwards
Overview
Sublime can dynamically detect end-user forwarding to personal email addresses in a variety of ways.
Outbound forward to personal email address
Inspects outbound forwarded messages to free or disposable email providers with either:
- An exact display name match
- A similar display name match
- An exact local part match
- A similar local part match
type.outbound
and regex.imatch(subject.subject, "fw(d):.*")
and any(recipients.to,
(
// if the sender is [email protected], this will match variations like:
// - [email protected]
// - [email protected]
strings.levenshtein(.email.local_part, sender.email.local_part) <= 2
or strings.ilevenshtein(.display_name, sender.display_name) <= 2
)
and (
.email.domain.root_domain in $free_email_providers
or .email.domain.root_domain in $disposable_email_providers
)
)
Any outbound to personal email address
Inspects outbound messages to free or disposable email providers with either:
- An exact display name match
- A similar display name match
- An exact local part match
- A similar local part match
type.outbound
and any(recipients.to,
(
// if the sender is [email protected], this will match variations like:
// - [email protected]
// - [email protected]
strings.levenshtein(.email.local_part, sender.email.local_part) <= 2
or strings.ilevenshtein(.display_name, sender.display_name) <= 2
)
and (
.email.domain.root_domain in $free_email_providers
or .email.domain.root_domain in $disposable_email_providers
)
)
Outbound forward to personal email address with [sensitive data|attachment]
Customize this rule
You may customize the criteria you deem sensitive within the rule logic below.
Inspects outbound messages to free or disposable email providers with the same criteria as above or any of:
-
Any attachments in $file_extensions_common_archives
-
Strings that may convey sensitive content (eg. "password", "sensitive", "protected", "confidential")
-
Natural Language understanding tags in the body, or a PDF attachment:
Name Description invoice
These emails contain language about viewing invoices via links or attachments. payment
These emails contain language about ACH, EFT, or Wire payments. purchase_order
These emails contain language about Purchase Orders, Requests for Quotation.
type.outbound
and regex.imatch(subject.subject, "fw(d):.*")
and any(recipients.to,
(
// if the sender is [email protected], this will match variations like:
// - [email protected]
// - [email protected]
strings.levenshtein(.email.local_part, sender.email.local_part) <= 2
or strings.ilevenshtein(.display_name, sender.display_name) <= 2
)
and (
.email.domain.root_domain in $free_email_providers
or .email.domain.root_domain in $disposable_email_providers
)
)
// add any sensitive data indicators below
and (
any(attachments,
.file_extension in $file_extensions_common_archives
or strings.ilike(body.current_thread.text,
"*password*",
"*sensitive*",
"*protected*",
"*confidential*"
)
or any(ml.nlu_classifier(body.current_thread.text).tags,
.name in ("invoice", "payment", "purchase_order")
)
or (
.file_type == "pdf"
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).tags,
.name in ("invoice", "payment", "purchase_order")
)
)
)
)
)
Updated about 1 month ago