type.inbound
and any(attachments,
(
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
and any(file.explode(.),
any(.scan.url.urls,
(
.domain.domain in $free_file_hosts
or (
.domain.root_domain in $free_subdomain_hosts
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and .domain.subdomain != "www"
)
)
and any(ml.link_analysis(.).final_dom.links,
any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.