type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rtf"
)
and any(file.explode(.),
.flavors.mime == 'text/rtf'
and any(.scan.url.urls,
.domain.valid
and .domain.subdomain is not null
and not (
strings.ends_with(.url, "jpeg")
or strings.ends_with(.url, "png")
)
and (
(
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
or (
.domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_file_hosts
or .domain.root_domain in $free_subdomain_hosts
or .domain.root_domain in $url_shorteners
or .domain.root_domain in $social_landing_hosts
)
// or the url contains the recipient email and the root_domain is not in tranco
or (
any(recipients.to,
strings.icontains(..url, .email.email)
)
and (
.domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
)
)
)
)
)
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.