type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "dropbox.*")
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*dropbox*")
and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
)
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.