type.inbound
and 0 < length(body.current_thread.links) < 8
and any([subject.subject, sender.display_name],
regex.icontains(., "(?:cloud|storage|mailbox)")
)
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence == "high"
)
and regex.icontains(beta.ocr(file.message_screenshot()).text,
"storage.{0,50}full",
"free.{0,50}upgrade",
"storage.{0,50}details",
"storage.{0,50}quot",
"(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)"
)
and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
and (
any(body.current_thread.links,
// fingerprints of a hyperlinked image
.display_text is null
and .display_url.url is null
and .href_url.domain.domain not in $tenant_domains
and (
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $url_shorteners
or network.whois(.href_url.domain).days_old < 365
or .href_url.domain.root_domain == "beehiiv.com"
)
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.