type.inbound
and length(body.current_thread.text) < 1250
and any(beta.ml_topic(body.current_thread.text).topics,
.name == "Financial Communications"
)
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
length(body.links) == 0
or length(filter(body.links,
(
.display_text is null
and .display_url.url == sender.email.domain.root_domain
)
or .href_url.domain.domain == "aka.ms"
or network.whois(.display_url.domain).days_old < 30
)
) == length(body.links)
)
and length(attachments) == 0
and (strings.ilike(subject.subject, "*tax*") or length(subject.subject) < 15)
and strings.icontains(body.current_thread.text, "tax")
and (
strings.like(body.current_thread.text,
"*return*",
"*record*",
"*CPA*",
"*filing*",
"*extension*"
)
or strings.ilike(body.current_thread.text,
"*tax preparer*",
"*tax*processing*"
)
)
and (
strings.ilike(body.current_thread.text,
"*necessary documents*",
"*required documents*",
"*paperwork*",
"*in search of*",
"*tax service*",
"*professional help*",
"*prepare*tax return*",
"*service*tax return*",
"*seeking*tax preparer*",
"*assist*processing*tax*",
"*schedule*call*",
"*zoom meeting*",
"*discuss*fees*",
"*W2*",
"*CPA*"
)
// suspicious patterns
or (
strings.icontains(body.current_thread.text, sender.display_name)
and 2 of (
(
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
)
),
(
headers.return_path.email is not null
and headers.return_path.email != sender.email.email
),
headers.return_path.domain.root_domain in ("amazonses.com")
)
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.