type.inbound
// not an org_domain which passed dmarc
and not (
sender.email.domain.domain in $org_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// a single recipient within the org_domains
and (
length(recipients.to) == 1
and all(recipients.to, .email.domain.domain in $org_domains)
)
// there are more than 30 class attributes containing the recipient's SLD
and length(filter(html.xpath(body.html, '//@class').nodes,
any(recipients.to,
// the class name is the same
..raw =~ .email.domain.sld
// a specific observed pattern with a prefix of x_hz
or strings.istarts_with(..raw,
strings.concat('x_hz',
.email.domain.sld
)
)
)
)
) > 30
// 80% or more the class attributes contain the recipient's SLD
and ratio(html.xpath(body.html, '//@class').nodes,
any(recipients.to,
// the class name is the same
..raw =~ .email.domain.sld
// a specific observed pattern with a prefix of x_hz
or strings.istarts_with(..raw,
strings.concat('x_hz', .email.domain.sld)
)
)
) > 0.80
// not replies
and not (length(headers.references) > 0 or headers.in_reply_to is not null)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.