type.inbound
// ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
and strings.contains(sender.display_name, " ")
and sender.display_name in~ $org_display_names
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "bec" and .confidence == "high"
)
or (
(
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
and (
(
// there are intents returned
any(ml.nlu_classifier(body.current_thread.text).intents, true)
// short body that also contains an org display name
or (
length(body.current_thread.text) > 200
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "sender" and .text in~ $org_display_names
)
)
)
and not strings.istarts_with(subject.subject, "fwd:")
)
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or not headers.auth_summary.dmarc.pass
)
// negate org domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $org_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.