type.inbound
and length(attachments) == 0
// Legitimate Zoom sending infratructure
and sender.email.domain.root_domain == 'zoom.us'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
// Zoom Logo
and any(ml.logo_detect(file.message_screenshot()).brands, .name == "Zoom")
// Callback Phishing
and regex.icontains(body.current_thread.text,
(
"mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
)
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
// negation for legitimate AI generated meeting summaries from Zoom
and not (
(
sender.display_name == "Meeting Summary with AI Companion"
and sender.email.email == "no-reply@zoom.us"
and headers.auth_summary.dmarc.pass
)
or (
strings.icontains(subject.subject, "Meeting assets")
and strings.icontains(body.current_thread.text, "Meeting summary")
and sender.email.email == "no-reply@zoom.us"
and headers.auth_summary.dmarc.pass
)
)
Playground
Test against your own EMLs or sample data.