type.inbound
and any(attachments,
.file_type == "unknown"
and (.content_type == "message/rfc822" or .file_extension in ('eml'))
and any(file.explode(.),
strings.starts_with(.flavors.mime, "image")
// and Image contains callback phishing indicators
and 4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "charged"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "+1")
)
)
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*geek*squad*",
"*lifelock*",
"*best buy*",
"*mcafee*",
"*norton*",
"*ebay*",
"*paypal*",
"*secure anywhere*"
)
or any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name in ("callback_scam")
and .confidence == "high"
and length(body.current_thread.text) < 1500
)
)
)
and (
not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.