type.inbound
// promotional/advertising content targeting financial services
and (
(
regex.icontains(body.current_thread.text,
"credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
)
or regex.icontains(subject.subject,
"credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
)
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Advertising and Promotions")
)
)
// PII harvesting template in attachments (3+ of these patterns)
and any(attachments,
any(file.explode(.),
3 of (
regex.icontains(.scan.strings.raw, "Credit Card Application"),
regex.icontains(.scan.strings.raw, "Date of Birth"),
regex.icontains(.scan.strings.raw, "[eE]mail"),
regex.icontains(.scan.strings.raw, "[aA]ddress"),
regex.icontains(.scan.strings.raw, "Contact No"),
regex.icontains(.scan.strings.raw, "Pan No"),
regex.icontains(.scan.strings.raw, "ADHAAR"),
regex.icontains(.scan.strings.raw, "Annual.*salary"),
regex.icontains(.scan.strings.raw, "Mother Name"),
regex.icontains(.scan.strings.raw, "Father Name"),
regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED")
)
)
)
// WhatsApp contact method (suspicious for legitimate financial institutions)
and (
regex.icontains(body.current_thread.text, "whatsapp")
or any(attachments,
any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me"))
)
or any(file.explode(file.message_screenshot()),
regex.icontains(.scan.qr.url.url, "wa\\.me")
)
)
Playground
Test against your own EMLs or sample data.