type.inbound
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.imatch(subject.subject, "(undeliverable|read:).*")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
(length(headers.references) == 0 and headers.in_reply_to is null)
or (
not strings.istarts_with(subject.subject, "re:")
and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
)
)
and any(attachments,
(.content_type == "message/rfc822" or .file_extension in ('eml'))
and any(file.explode(.),
// suspicious strings found in javascript
length(filter(.scan.javascript.strings,
strings.ilike(.,
"*username*",
"*login-form*",
"*email-form*",
"*Incorrect password. Please try again.*",
"*Password Incomplete, please try again*"
)
)
) >= 3
or (
// suspicious strings found outside of javascript, but binexplode'd file still of HTML type
.flavors.mime in~ ("text/html", "text/plain")
and 3 of (
any(.scan.strings.strings, strings.ilike(., "*username*")),
any(.scan.strings.strings, strings.ilike(., "*login-form*")),
any(.scan.strings.strings, strings.ilike(., "*email-form*")),
any(.scan.strings.strings,
strings.ilike(.,
"*Incorrect password. Please try again.*"
)
),
any(.scan.strings.strings,
strings.ilike(.,
"*Password Incomplete, please try again*"
)
)
)
)
or
// Known phishing obfuscation
2 of (
// Enter password
any(.scan.strings.strings,
strings.ilike(.,
"*Enter password*"
)
),
// Forgotten my password
any(.scan.strings.strings,
strings.ilike(.,
"*Forgotten my password*"
)
),
// Sign in
any(.scan.strings.strings,
strings.ilike(.,
"*Sign in*"
)
)
)
)
)
Playground
Test against your own EMLs or sample data.