type.inbound
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and any(attachments,
any(file.explode(.),
// special char in the path
(
strings.icontains(.scan.qr.url.path, '!')
or strings.icontains(.scan.qr.url.path, '@')
)
// a single path
and strings.count(.scan.qr.url.path, '/') == 2
and (
strings.icontains(.scan.qr.url.path, '/$')
or strings.icontains(.scan.qr.url.path, '/*')
)
and (
(
strings.icontains(.scan.qr.url.path,
recipients.to[0].email.email
)
or strings.icontains(.scan.qr.url.fragment,
recipients.to[0].email.email
)
or any(strings.scan_base64(.scan.qr.url.path,
ignore_padding=true
),
strings.icontains(., recipients.to[0].email.email)
)
or any(strings.scan_base64(.scan.qr.url.fragment,
ignore_padding=true
),
strings.icontains(., recipients.to[0].email.email)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.