type.inbound
and 3 of (
// urgent subjects
strings.ilike(subject.subject, '*quick question*'),
strings.ilike(subject.subject, '*urgent*request*'),
strings.ilike(subject.subject, '*are you available*'),
strings.ilike(subject.subject, '*need assistance*'),
strings.ilike(subject.subject, '*help*needed*'),
regex.icontains(subject.subject, 'favor\b'),
strings.ilike(subject.subject, '*checking in*'),
strings.ilike(subject.subject, '*awaiting*response*'),
strings.ilike(subject.subject, '*catch*up*'),
// BEC body patterns
strings.ilike(body.current_thread.text, '*sorry to bother*'),
strings.ilike(body.current_thread.text, '*are you busy*'),
strings.ilike(body.current_thread.text, '*can you help*'),
strings.ilike(body.current_thread.text, '*do you have a moment*'),
strings.ilike(body.current_thread.text, '*please respond*asap*'),
strings.ilike(subject.subject, '*quick question*'),
// brand name
regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
// short body
length(body.current_thread.text) < 200,
strings.count(body.current_thread.text, ' ') < 30
)
and 3 of (
// suspicious sender
sender.email.domain.root_domain in $free_email_providers,
network.whois(sender.email.domain).days_old < 30,
// suspicious recipient pattern
any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
length(recipients.to) == 1, // Single recipient
// header checks
strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns
// deifferent reply-to address
(length(headers.reply_to) > 0 and sender.email.email not in map(headers.reply_to, .email.email)),
// sender display name is part of the subject
strings.icontains(subject.subject, sender.display_name),
)
and profile.by_sender_email().prevalence not in ("common")
Playground
Test against your own EMLs or sample data.