type.inbound
and (
(
length(attachments) <= 3
and any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, .name == "Chase")
)
)
or (
length(attachments) == 0
and any(ml.logo_detect(file.message_screenshot()).brands, .name == "Chase")
)
)
and 0 < length(body.links) < 10
and (
any(body.links,
any([ml.link_analysis(.)],
.credphish.disposition == "phishing"
and .credphish.brand.confidence in ("medium", "high")
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft") and .confidence in ("medium", "high")
)
)
and not all(body.links,
.href_url.domain.root_domain in (
"chasecdn.com",
"chase.com",
"chase.co.uk",
"gslbjpmchase.com",
"jpmorganchase.com",
"jpmorgan.com",
"jpmorganfunds.com",
"jpmprivatebank.com",
"paymentech.com"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
Playground
Test against your own EMLs or sample data.