type.inbound
and 0 < length(body.previous_threads) < 3
and length(attachments) == 0
// Check previous_threads for mobile solicitation patterns
and any(body.previous_threads,
(
length(.text) < 500
// ignore disclaimers in body length calculation
or (
any(map(filter(ml.nlu_classifier(.text).entities,
.name == "disclaimer"
),
.text
),
(length(..text) - length(.)) < 500
)
)
)
and regex.icontains(.text,
'(mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell'
)
)
// NLU analysis on previous_threads content
and (
any(body.previous_threads,
any(ml.nlu_classifier(.text).intents,
.name in ("bec", "advance_fee") and .confidence in ("medium", "high")
)
)
or (
// confidence can be low on very short bodies
any(body.previous_threads, length(.text) < 550)
and (
any(body.previous_threads,
any(ml.nlu_classifier(.text).intents, .name == "bec")
)
or any(ml.nlu_classifier(sender.display_name).intents, .name == "bec")
or any(body.previous_threads,
any(ml.nlu_classifier(.text).entities,
strings.icontains(.text, "kindly")
)
)
)
)
)
// Sender analysis
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
// not high trust sender domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// Ensure this is likely a hijacked thread (sender doesn't match thread participants)
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
Playground
Test against your own EMLs or sample data.