type.inbound
and length(attachments) == 0
// Legitimate Dropbox sending infratructure
and (
sender.email.domain.root_domain in ('dropbox.net', 'dropbox.com')
// check for DMARC fail for spoofs
and headers.auth_summary.dmarc.pass
)
// Dropbox Logo or text
and (
any(ml.logo_detect(file.message_screenshot()).brands, .name == "Dropbox")
or strings.contains(body.current_thread.text, "Dropbox")
)
// Require common brand impersonation
and strings.ilike(body.current_thread.text,
"*mcafee*",
"*norton*",
"*geek*squad*",
"*paypal*",
"*ebay*",
"*symantec*",
"*best buy*",
"*lifelock*",
"*geek*support*"
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*'),
strings.ilike(body.current_thread.text, '*transfer*'),
strings.ilike(body.current_thread.text, '*message*')
)
// there's an email in the body
and regex.contains(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
// and it's likely a freemail
and any($free_email_providers, strings.icontains(body.current_thread.text, .))
Playground
Test against your own EMLs or sample data.