type.inbound
and not (
(subject.is_reply or subject.is_forward)
and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
// a single PDFs
and length(filter(attachments, .file_type == "pdf")) == 1
and any(attachments,
.file_type == "pdf"
and regex.icontains(.file_name, '(?:proposal|bid|document|rf[pq])\b')
and beta.parse_exif(.).page_count == 1
// OCR is cred_theft
and any(ml.nlu_classifier(beta.ocr(.).text).intents,
.name == "cred_theft"
)
and length(beta.ocr(.).text) < 2000
and beta.ocr(.).success
// contains exactly one link on the root pdf
and any(file.explode(.),
.depth == 0
and length(.scan.url.urls) == 1
and all(.scan.url.urls,
.domain.root_domain not in (
'iso.org',
'w3.org',
'bfo.com', // pdf producer
'camscanner.com', // pdf producer
)
and not strings.istarts_with(.url, 'mailto')
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.