How to detect manual outbound forwards

Overview

Sublime can dynamically detect end-user forwarding to personal email addresses in a variety of ways.

Outbound forward to personal email address

Inspects outbound forwarded messages to free or disposable email providers with either:

  • An exact display name match
  • A similar display name match
  • An exact local part match
  • A similar local part match
type.outbound
and regex.imatch(subject.subject, "fw(d):.*")
and any(recipients.to,
        (
          // if the sender is [email protected], this will match variations like:
          // - [email protected]
          // - [email protected]
          strings.levenshtein(.email.local_part, sender.email.local_part) <= 2
          or strings.ilevenshtein(.display_name, sender.display_name) <= 2
        )
        and (
          .email.domain.root_domain in $free_email_providers
          or .email.domain.root_domain in $disposable_email_providers
        )
)

Any outbound to personal email address

Inspects outbound messages to free or disposable email providers with either:

  • An exact display name match
  • A similar display name match
  • An exact local part match
  • A similar local part match

type.outbound
and any(recipients.to,
        (
          // if the sender is [email protected], this will match variations like:
          // - [email protected]
          // - [email protected]
          strings.levenshtein(.email.local_part, sender.email.local_part) <= 2
          or strings.ilevenshtein(.display_name, sender.display_name) <= 2
        )
        and (
          .email.domain.root_domain in $free_email_providers
          or .email.domain.root_domain in $disposable_email_providers
        )
)

Outbound forward to personal email address with [sensitive data|attachment]

๐Ÿ“˜

Customize this rule

You may customize the criteria you deem sensitive within the rule logic below.

Inspects outbound messages to free or disposable email providers with the same criteria as above or any of:

  • Any attachments in $file_extensions_common_archives

  • Strings that may convey sensitive content (eg. "password", "sensitive", "protected", "confidential")

  • Natural Language understanding tags in the body, or a PDF attachment:

    NameDescription
    invoiceThese emails contain language about viewing invoices via links or attachments.
    paymentThese emails contain language about ACH, EFT, or Wire payments.
    purchase_orderThese emails contain language about Purchase Orders, Requests for Quotation.
type.outbound
and regex.imatch(subject.subject, "fw(d):.*")
and any(recipients.to,
        (
          // if the sender is [email protected], this will match variations like:
          // - [email protected]
          // - [email protected]
          strings.levenshtein(.email.local_part, sender.email.local_part) <= 2
          or strings.ilevenshtein(.display_name, sender.display_name) <= 2
        )
        and (
          .email.domain.root_domain in $free_email_providers
          or .email.domain.root_domain in $disposable_email_providers
        )
)

// add any sensitive data indicators below
and (
  any(attachments,
      .file_extension in $file_extensions_common_archives
      or strings.ilike(body.current_thread.text,
                       "*password*",
                       "*sensitive*",
                       "*protected*",
                       "*confidential*"
      )
      or any(ml.nlu_classifier(body.current_thread.text).tags,
             .name in ("invoice", "payment", "purchase_order")
      )
      or (
        .file_type == "pdf"
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).tags,
                    .name in ("invoice", "payment", "purchase_order")
                )
        )
      )
  )
)