Just off the top of my head:
rawbodyONEDRIVE_DOWNLOADm'https://onedrive\.live\.com/download[?]cid='
score ONEDRIVE_DOWNLOAD0.5
describeONEDRIVE_DOWNLOADDownload link to a file on Onedrive
Personally I'd be inclined to put an i on the end of that.
body FILE_PWD
rules for a sneaky SPEAR-VIRUS spam that gets past bayes because legit
content from hijacked emails are copied into the spam, making it look
like a follow-up msg of an existing legit conversation. Catch using
these rules below. (Perhaps also add more to this to prevent rare FPs?
But this is a g
