type.inbound
and not profile.by_sender().solicited
// not high trust sender domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and any(attachments,
.file_extension == "html"
// starts with the hidden body element
and regex.icontains(file.parse_html(.).raw,
'^<body style\s*=\s*"\s*display\s*:\s*none\s*;\s*">'
)
)
Playground
Test against your own EMLs or sample data.