type.inbound
and network.whois(sender.email.domain).days_old < 30
and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "bec")
and (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications", "Payment Information")
and .confidence == "high"
)
)
and (
(
regex.icontains(body.current_thread.text,
'account\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
)
and regex.icontains(body.current_thread.text,
'(?:wire\s*)?routing\s*(?:number|num|no\.?)\s*:?\s*\d{5,}'
)
)
or regex.icontains(body.current_thread.text,
'invoice\s*(?:#|number|num|no\.?)\s*:?\s*[A-Z0-9-]{3,}',
'per\s+\w+.{0,5}s\s+request'
)
or strings.icontains(body.current_thread.text,
'due upon receipt',
'confirm receipt of invoice',
'see attached invoice'
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.