type.inbound
// body is short
and length(body.current_thread.text) < 800
// one recipient
and length(recipients.to) == 1
// all recipients are the sender
and all(recipients.to,
.email.email == sender.email.email
and (
.email.domain.valid or strings.icontains(.display_name, "undisclosed")
)
)
// not an org domain
and all(recipients.to,
.email.domain.root_domain not in $org_domains
and (
.email.domain.valid or strings.icontains(.display_name, "undisclosed")
)
)
// one link
and length(body.links) == 1
// links don't match sender
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
// scam indicators
and regex.icontains(body.current_thread.text,
'((?:Mr|Mrs|Ms|Miss|Dr|Prof|Sir|Lady|Rev)\.?[ \t]+)|(sir|madam|kindly)|(dringend|eingefordert|anspruch)'
)
// body contains an email address to a freemail provider
and (
regex.contains(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
and any($free_email_providers, strings.icontains(body.current_thread.text, .))
)
// new and unsolicited and no malicious or FP's
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.