type.inbound
// sender claims to be CRA
and (
strings.icontains(sender.display_name, 'canada revenue agency')
or strings.icontains(sender.display_name, 'agence du revenu du canada')
or (
// cra display name and cra reference in subject
regex.icontains(sender.display_name, '\bcra\b')
and regex.icontains(subject.base,
'(?:T4|cra|tax|canada revenue|revenu du canada)'
)
)
)
// nlu cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != 'low'
)
and not (
(
// negate highly trusted sender domains
sender.email.domain.root_domain in $high_trust_sender_root_domains
// negate legit senders from merck
or sender.email.domain.root_domain == "cra-arc.gc.ca"
)
// enforce auth
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.