type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// embedded in an image attachment
// note: don't use message_screenshot()
// because it's not limited to current_thread and may FP
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
and 4 of (
// impersonation of the recipient's domain or email address
// in the subject to make it look more personalized
any(recipients.to,
(
strings.icontains(subject.subject, .email.local_part)
or strings.icontains(subject.subject, .email.domain.sld)
)
and (
.email.domain.valid or strings.icontains(.display_name, "undisclosed")
)
),
// recipient's email address in the body. this is not very uncommon
// for legit credential themed messages either
any(recipients.to,
(.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
and strings.icontains(body.current_thread.text, .email.email)
),
( // page contains turnstile captcha
any(body.links,
strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'https://challenges.cloudflare.com/turnstile/',
)
)
),
(
// freemail providers should never be sending this type of email
sender.email.domain.domain in $free_email_providers
// if not freemail, it's suspicious if the sender's root domain
// doesn't match any links in the body
or (
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
)
),
strings.contains(body.current_thread.text,
"Your mailbox can no longer send or receive messages."
),
// link redirects to a suspicious TLD
any(body.links,
any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
),
(
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
any(body.links,
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
),
// maybe: any brand logo with high confidence
// maybe: recipients BCCd or undisclosed
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negating Google Calendar invites
and (
(
(
length(attachments) > 0
and not all(attachments,
.content_type in ("text/calendar", "application/ics")
)
)
and not (
any(distinct(headers.hops, .authentication_results.dmarc is null),
strings.ilike(.authentication_results.dmarc, "*pass")
and strings.ilike(.authentication_results.spf_details.designator,
"*calendar-server.bounces.google.com"
)
)
)
)
or length(attachments) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.