type.inbound
and any(body.links,
.href_url.domain.root_domain == "canva.com"
and strings.starts_with(.href_url.path, "/design/")
and any(html.xpath(ml.link_analysis(.).final_dom,
"/html/body/script[2]"
).nodes,
any(regex.iextract(.raw,
'\"[A-Z]\":{[^\}]+\"[a-z]\":\"(?P<display_text>[^\"]+)\"},\"[a-z]\":{[^\}]+"[a-z]":"(?<url>https:\/\/[^\s"'')\]}]+)\"'
),
strings.parse_url(.named_groups["url"]).domain.root_domain not in (
"canva.com",
"sentry.io",
"googleusercontent.com"
)
and (
any(ml.nlu_classifier(.named_groups['display_text']).intents,
.name == "cred_theft"
)
or strings.parse_url(.named_groups["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.named_groups["url"]
)
).credphish.disposition == "phishing"
)
)
// parse out links using file.explode
or any(file.explode(.),
any(filter(.scan.url.urls,
.domain.root_domain not in (
"canva.com",
"sentry.io",
"googleusercontent.com"
)
),
.domain.tld in $suspicious_tlds
or .domain.domain in $free_subdomain_hosts
or .domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(.).credphish.disposition == "phishing"
)
)
)
)
and not profile.by_sender_email().any_messages_benign
Playground
Test against your own EMLs or sample data.