type.inbound
and length(body.links) > 0
and any([sender.display_name, sender.email.domain.domain],
        strings.ilike(strings.replace_confusables(.), "*LastPass*", "Last?Pass")
)
and (
  strings.ilike(body.current_thread.text,
                "*back*up*",
                "*maintenance*",
                "*master*password*",
                "*export*vault*",
                "*support@lastpass.com*" // real LastPass support address
  )
  or any(body.links,
         // links directly to a S3 bucket
         (
           .href_url.domain.root_domain == "amazonaws.com"
           and strings.icontains(.href_url.domain.subdomain, "s3")
         )
         // recipient email as a URL param
         or any(.href_url.query_params_decoded["email"],
                strings.parse_email(.).email in map(recipients.to, .email.email)
         )
  )
  or any(ml.nlu_classifier(body.current_thread.text).topics,
         .name in ("Security and Authentication", "Reminders and Notifications")
         and .confidence != "low"
  )
  // invalid sender address
  or not sender.email.domain.valid
)
// negate newsletters
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in ("Newsletters and Digests") and .confidence != "low"
)
and not (
  sender.email.domain.root_domain in~ ("lastpass.com")
  and headers.auth_summary.dmarc.pass
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started

Brand impersonation: LastPass

Labels

Description

References

Playground

Share

Get Started. Today.