type.inbound
and length(body.current_thread.text) < 1000
and any([subject.subject, sender.display_name, body.current_thread.text],
regex.icontains(.,
'(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor|(Auth(enticat|e|or|ion))?)'
)
)
and (
any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in~ $file_extensions_macros
)
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Google"))
)
or any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Google")
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or any(file.explode(.),
.scan.qr.type is not null
and regex.contains(.scan.qr.data, '\.')
)
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
beta.parse_exif(file.message_screenshot()).image_height < 2000
and beta.parse_exif(file.message_screenshot()).image_width < 2000
and any(beta.scan_qr(file.message_screenshot()).items,
.type is not null and regex.contains(.data, '\.')
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.