type.inbound
and (
strings.ilike(sender.display_name, '*discord*')
or (
strings.ilevenshtein(sender.display_name, 'discord') <= 2
and sender.display_name not in~ ("discogs")
)
or strings.ilike(sender.email.domain.domain, '*discord*')
// Discord logo detection in image attachments
or any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands,
.name == "Discord" and .confidence != "low"
)
)
// Discord logo detection in message screenshot
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Discord" and .confidence != "low"
)
)
and (
strings.icontains(subject.subject, 'you have received a new notification')
or regex.icontains(subject.subject,
'(?:(?:new|unread|missed|pending|discord)\s+)?(?:message|notification|alert|activity|call) (?:from|waiting|pending)',
)
or strings.icontains(subject.subject, 'friend request')
or strings.icontains(subject.subject, 'server invitation')
or strings.icontains(subject.subject, 'mentioned you')
or strings.icontains(subject.subject, 'direct message')
)
and not (
sender.email.domain.root_domain in ("discord.com", "discogs.com")
and headers.auth_summary.dmarc.pass
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.