type.inbound
and length(body.links) == 0
and any(attachments,
(.file_type in ("pdf", "doc", "docx"))
and any(file.explode(.),
any(.scan.url.urls,
.domain.root_domain == "doubleclick.net"
and (
strings.icontains(.path, "/aclk")
or strings.icontains(.path, "/pcs/click")
or strings.icontains(.path, "/searchads/link/click")
)
and regex.icontains(.query_params,
'&(?:adurl|ds_dest_url)=(?:[a-z]+(?:\:|%3a))?(?:\/|%2f)(?:\/|%2f)'
)
)
)
)
Playground
Test against your own EMLs or sample data.