type.inbound
and 0 < length(body.links) < 10
// Link contains Start Signing
and any(body.links, .display_text == "Start Signing")
// Zoho artifact in html body
and regex.contains(body.html.raw,
'title="Original URL: https:\/\/sign\.zoho\.com\/zsguest\?[^"]*action_type=SIGN\.[^"]*Click or tap if you trust this link\."'
)
// but the Zoho link is not active
and not any(body.links, .href_url.domain.root_domain == "zoho.com")
// and the body thread contains the Sender + recipient domain
and any(recipients.to,
strings.icontains(body.current_thread.text,
strings.concat("Sender\n", .email.domain.domain)
)
)
Playground
Test against your own EMLs or sample data.