type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// ----- other suspicious signals here -----
and any(attachments,
any(file.explode(.),
any(.scan.strings.strings, strings.icontains(., "secure message"))
and (
any(.scan.url.urls, .domain.tld in $suspicious_tlds)
or any(.scan.url.urls,
any(.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
and (
any(.scan.url.urls,
.domain.root_domain != sender.email.domain.root_domain
)
or not sender.email.domain.valid
)
)
)
// negate legitimate message senders
and (
(
sender.email.domain.root_domain not in ("protectedtrust.com")
or not sender.email.domain.valid
)
and any(headers.hops,
.index == 0
and not any(.fields,
strings.contains(.value,
'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
)
)
)
and not (
any(headers.hops, any(.fields, .name == 'X-ZixNet'))
and any(headers.domains,
.root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
)
)
and not all(body.links,
.href_url.domain.root_domain in ("mimecast.com", "cisco.com")
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.