type.inbound
and (
regex.icontains(strings.replace_confusables(sender.display_name), '[nm]etf[li][il]x')
or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'netflix') <= 1
or regex.icontains(strings.replace_confusables(sender.email.domain.domain), '[nm]etf[li][il]x')
or regex.icontains(strings.replace_confusables(sender.display_name), 'n.{0,3}e.{0,3}t.{0,3}f.{0,3}l.{0,3}i.{0,3}x.{0,3}')
or (
(
length(recipients.to) == 0
or (
all(recipients.to, .email.domain.valid == false)
and all(recipients.cc, .email.domain.valid == false)
)
)
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Netflix"
and .confidence in ("medium", "high")
and (
any(body.links,
ml.link_analysis(.).credphish.disposition == "phishing"
and ml.link_analysis(.).credphish.confidence in (
"medium",
"high"
)
)
)
)
)
)
and sender.email.domain.root_domain not in (
'netflix.com',
'dvd.com',
'netflixfamily.com',
'netflixpreviewclub.com',
'netflixanimation.com',
'envoy.com',
'lexisnexis.com',
'netflix.shop',
'netflixcontractors.com', // owned by netflix
'netflixevents.com', // owned by netflix
'netelixir.com', // unrelated marketing
'netflixhouse.com', // owned by netflix
'instagram.com',
'netflix.net'
)
and sender.email.domain.domain not in (
'netflix.zendesk.com' // netflix actual support
)
and sender.email.email not in $recipient_emails
Playground
Test against your own EMLs or sample data.