type.inbound
and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
and (
sender.display_name in~ ("UPS My Choice", "UPS Services", "Ups.com")
or regex.icontains(sender.display_name, 'ups-\w+')
or strings.ilike(sender.email.local_part, "*united*parcel*service*")
or strings.ilike(sender.email.domain.domain, '*united*parcel*service*')
or strings.icontains(subject.subject, 'UPS delivery')
or sender.email.local_part =~ "ups"
or regex.icontains(sender.display_name,
"U[^a-zA-Z]P[^a-zA-Z]S(?:[^a-zA-Z]|$)"
)
or strings.icontains(body.html.raw, 'background-color:#351d20')
or strings.icontains(body.html.raw, 'background-color: #351d20')
)
and (
// Observed in the "footer" of impersation messages
// added this due to the UPS image not loading on some emails
strings.icontains(body.current_thread.text, "United Parcel Service of")
or regex.icontains(body.current_thread.text,
"(©|®).{0,15}(?:U.?P.?S.?|United Parcel Service)"
)
or any(ml.logo_detect(file.message_screenshot()).brands, .name is not null)
)
and sender.email.email not in $recipient_emails
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.