type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.exiftool.fields, .key == "Encryption")
or (
.scan.entropy.entropy > 7
and any(.scan.strings.strings, strings.icontains(., "/Encrypt"))
)
)
// Encrypted PDFs do not have child nodes with any data
and all(filter(file.explode(.), .depth > 0), .size == 0)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or (
(
regex.icontains(body.current_thread.text,
'PDF\s*(?:Access|Preview|Unlock|Decrypt)\s*(?:Pass)?code',
'(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*to?\s*PDF\s*is?\s*:'
)
or (
(
length(body.current_thread.text) <= 10
or (body.current_thread.text is null)
)
and any(body.previous_threads,
regex.icontains(.text,
'PDF\s*(?:Access|Preview|Unlock|Decrypt)\s*(?:Pass)?code',
'(Access|Preview|Unlock|Decrypt|Pass)\s*(?:word|code)\s*to?\s*PDF\s*is?\s*:'
)
)
)
)
)
)
// not forwards/replies
and not (
(length(headers.references) > 0 or headers.in_reply_to is not null)
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
and (
(
profile.by_sender_email().prevalence in ("new", "outlier")
and not profile.by_sender_email().solicited
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or (
length(recipients.to) == 0
or all(recipients.to,
strings.ilike(.display_name, "undisclosed?recipients")
)
)
or (
length(recipients.to) == 1
and any(recipients.to, .email.email == sender.email.email)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.