type.inbound
and any(filter(attachments, .file_extension in ('docx', 'docm')),
any(filter(file.explode(.),
strings.icontains(.scan.strings.raw, '<w:hyperlink')
),
any(regex.iextract(.scan.strings.raw,
'<w:hyperlink[^\>]*w:anchor="(?P<email_address>[^\"]+)"'
),
.named_groups["email_address"] == recipients.to[0].email.email
or any(strings.scan_base64(.named_groups["email_address"],
ignore_padding=true
),
strings.icontains(., recipients.to[0].email.email)
)
)
)
)
Playground
Test against your own EMLs or sample data.