type.inbound
// reply to domain that's less than 30d old and doesn't match the sender
and (
(
length(headers.reply_to) > 0
and all(headers.reply_to,
network.whois(.email.domain).days_old <= 30
and .email.email != sender.email.email
)
)
// or the return path or sender domain is less than 30d old
or network.whois(headers.return_path.domain).days_old <= 30
or network.whois(sender.email.domain).days_old <= 30
)
// invoicing with high confidence
and any(ml.nlu_classifier(body.current_thread.text).tags,
.name == "invoice" and .confidence == "high"
)
// commonly abused brands in body
and (
strings.ilike(body.current_thread.text,
"*mcafee*",
"*norton*",
"*geek squad*",
"*paypal*",
"*ebay*",
"*symantec*",
"*best buy*",
"*lifelock*",
"*virus*"
)
// commonly abused brand logo
or any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("PayPal", "Norton", "GeekSquad", "Ebay")
)
// check message screenshot ocr for commonly abused brands
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
or 1 of (
strings.icontains(beta.ocr(file.message_screenshot()).text, "geek squad"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "lifelock"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "best buy"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "mcafee"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "norton"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "ebay"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "paypal"),
strings.icontains(beta.ocr(file.message_screenshot()).text, "virus"),
)
)
// phone number regex
and regex.icontains(body.current_thread.text,
'\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.