type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension in ('eml'))
and any(file.explode(.),
any(.scan.url.urls,
strings.icontains(ml.link_analysis(.).effective_url.url,
'ipfs'
)
or (
regex.icontains(ml.link_analysis(.).effective_url.path,
'[\.-/]ipfs|ipfs[\.-/]'
)
and ml.link_analysis(.).effective_url.domain.domain not in $org_domains
and (
(
// don't include high rep domains
ml.link_analysis(.).effective_url.domain.domain not in $tranco_1m
and ml.link_analysis(.).effective_url.domain.domain not in $umbrella_1m
)
// if it's in Tranco or Umbrella, still include it if it's one of these
or ml.link_analysis(.).effective_url.domain.domain in $free_file_hosts
or ml.link_analysis(.).effective_url.domain.root_domain in $free_file_hosts
or ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
)
)
)
)
)
Playground
Test against your own EMLs or sample data.