type.inbound
and length(attachments) == 0
// Legitimate MicrosoftOnline sending infratructure
// or invites@microsoft.com abuse
and (
(
sender.email.domain.root_domain in ('microsoftonline.com')
or sender.email.email == "invites@microsoft.com"
)
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// Callback Phishing
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("callback_scam")
and .confidence in ("medium", "high")
and length(body.current_thread.text) < 1750
)
or 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
Playground
Test against your own EMLs or sample data.