type.inbound
and sender.email.domain.domain == 'email.formspro.microsoft.com'
and regex.icontains(sender.display_name, '(google|gmail)')
and regex.icontains(sender.display_name, '(alert|warning|notification)')
// MsgID does not contain Google|Gmail|GoogleMail
and not regex.icontains(headers.message_id, '(mail|mx)?\.?(google(mail)?|gmail.com)')
and (
any(body.links, .href_url.domain.root_domain not in $tranco_1m)
or strings.ilike(body.html.display_text,
"*suspicious activities*",
"*failure to secure*",
"*loose your*",
"*suspended*"
)
)
Playground
Test against your own EMLs or sample data.