type.inbound
and (
strings.ilike(sender.display_name, "amazon*")
or any(attachments, strings.icontains(.file_name, "amazon"))
or any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.), strings.icontains(.scan.ocr.raw, "amazon"))
)
)
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(ml.logo_detect(.).brands,
.name == "Amazon" and .confidence in~ ("medium", "high")
)
and (
any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name != "benign" and .confidence == "high"
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign" and .confidence == "high"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and sender.email.domain.root_domain not in~ (
'a2z.com',
'amazon.com',
'amazon.com.au',
'amazon.co.uk',
'amazon.de',
'amazon.es',
'amazon.fr',
'amazon.it',
'amazon.in',
'amazon.lu',
'amazon.com.au',
'amazonsellerservices.com',
'amazon.ae',
'amazon.sa',
'amazon.cn',
'amazon.ca',
'amazon.com.mx',
'amazon.com.br',
'amazon.ph',
'amazon.sg',
'amazon.com.tr',
'amazonpay.in',
'amazonpay.com',
'synchronybank.com',
)
Playground
Test against your own EMLs or sample data.