type.inbound
and (
// levenshtein distance similar to Square
(
strings.ilevenshtein(strings.replace_confusables(sender.display_name),
'square'
) <= 1
and sender.display_name not in ("SquareX")
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Square" and .confidence == "high"
)
)
and (
(
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications"
)
and .confidence in ("medium", "high")
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Newsletters and Digests", "Entertainment and Sports")
and .confidence in ("medium", "high")
)
)
or (
any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications"
)
and .confidence in ("medium", "high")
and beta.ocr(file.message_screenshot()).text != ""
)
and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
.name in ("Newsletters and Digests", "Entertainment and Sports")
and .confidence in ("medium", "high")
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
// and the sender is not in org_domains or from Square domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
sender.email.domain.root_domain in (
"square.com",
"squareup.com",
"block.com"
)
and headers.auth_summary.dmarc.pass
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or not headers.auth_summary.dmarc.pass
or not headers.auth_summary.spf.pass
)
Playground
Test against your own EMLs or sample data.