type.inbound
and (
  any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
  or sender.display_name =~ "USPS"
)
and length(body.links) > 0
and 2 of (
  any(body.links,
      strings.ilike(.display_text,
                    "*check now*",
                    "*track*",
                    "*package*",
                    '*view your order*'
      )
  ),
  strings.ilike(body.current_thread.text,
                "*returned*to*sender*",
                "*redelivery*"
  ),
  // impersonal greeting
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "recipient" and .text =~ "Customer"
  ),
  // no links go to usps.com
  all(body.links, .href_url.domain.root_domain != "usps.com")
)
and (
  sender.email.domain.root_domain not in (
      "usps.com", 
      "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
      "shipup.co", // third party shipping company
      "withings.com" // third party shipping company
  )
  or (
    sender.email.domain.root_domain in (
        "usps.com", 
        "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
    )
    and not headers.auth_summary.dmarc.pass
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started

Brand impersonation: USPS

Labels

Description

References

Playground

Share

Get Started. Today.