type.inbound
and (
strings.icontains(body.current_thread.text, 'Google Careers')
or strings.icontains(body.current_thread.text, 'GoogleCareers')
// Spanish
or strings.icontains(body.current_thread.text, 'Google Carreras')
or strings.icontains(body.current_thread.text, 'GoogleCarreras')
// German Norwegian
or strings.icontains(body.current_thread.text, 'Google Karriere')
or strings.icontains(body.current_thread.text, 'GoogleKarriere')
// Swedish
or strings.icontains(body.current_thread.text, 'Google Karriär')
or strings.icontains(body.current_thread.text, 'GoogleKarriär')
// Dutch
or strings.icontains(body.current_thread.text, 'Google Carrières')
or strings.icontains(body.current_thread.text, 'GoogleCarrières')
// Turkish
or strings.icontains(body.current_thread.text, 'Google Kariyer')
or strings.icontains(body.current_thread.text, 'GoogleKariyer')
// The screenshot OCR captures google careers or the google logo
or (
sender.email.domain.root_domain == "salesforce.com"
and (
regex.icontains(beta.ocr(file.message_screenshot()).text,
"google careers"
)
or any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Google")
)
)
)
)
and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
and not (
sender.email.domain.root_domain in ("google.com", "sublimesecurity.com")
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.