type.inbound
and any(attachments,
(
.file_type in $file_types_images
or .file_extension in $file_extensions_macros
or .file_type == "pdf"
)
and any(file.explode(.),
(
.scan.qr.url.username is not null
or .scan.qr.url.password is not null
// keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_userinfo_excessive_padding.yml
or regex.icontains(coalesce(.scan.qr.url.rewrite.original,
.scan.qr.url.url
),
'https?(?:(?:%3a|\:)?(?:\/|%2f){2})[^\/]+(?:\s+|%(?:25)?[a-f0-9]{2}|0x[a-f0-9]+){30,}(?:@|%(?:25)?40)[^\/]+(?:\/|%(?:25)?2f)'
)
)
and .scan.qr.url.domain.root_domain != sender.email.domain.root_domain
and not any(recipients.to,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
and not any(recipients.cc,
.email.domain.root_domain == ..scan.qr.url.domain.root_domain
)
)
)
and not profile.by_sender_email().any_messages_benign
and not profile.by_sender_email().solicited
Playground
Test against your own EMLs or sample data.