type.inbound
and (
  strings.ilike(sender.display_name, '*binance*')
  or strings.ilevenshtein(sender.display_name, 'binance') <= 1
  or strings.ilike(sender.email.domain.domain, '*binance*')
  or strings.ilike(subject.subject, '*binance*')
)
and sender.email.domain.root_domain not in~ (
  'binance.com',
  'trustwallet.com',
  'binance.charity'
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .text == "Binance"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
  or any(ml.nlu_classifier(body.current_thread.text).entities,
         .name == "request"
  )
)
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .text in~ ("withdrawal", "deposit")
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
)
and (
  // if this comes from a free email provider,
  // flag if org has never sent an email to sender's email before
  (
    sender.email.domain.root_domain in $free_email_providers
    and sender.email.email not in $recipient_emails
  )
  // if this comes from a custom domain,
  // flag if org has never sent an email to sender's domain before
  or (
    sender.email.domain.root_domain not in $free_email_providers
    and sender.email.domain.domain not in $recipient_domains
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started

Brand impersonation: Binance

Labels

Description

References

Playground

Share

Get Started. Today.