type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
or (
length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
)
)
and (
(
any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "urgency"
)
)
or any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "sender" and strings.icontains(.text, "Microsoft")
)
)
)
and any(file.explode(.),
3 of (
strings.icontains(.scan.ocr.raw, "review"),
strings.icontains(.scan.ocr.raw, "release"),
strings.icontains(.scan.ocr.raw, "quarantine"),
strings.icontains(.scan.ocr.raw, "messages"),
strings.icontains(.scan.ocr.raw, "blocked"),
strings.icontains(.scan.ocr.raw, "notification"),
any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.