type.inbound
and length(body.previous_threads) == 0
and length(ml.nlu_classifier(body.current_thread.text).topics) == 1
and all(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Events and Webinars", "Software and App Updates")
and .confidence != "low"
)
// Zoom meeting language
and strings.ilike(body.current_thread.text,
"*zoom meeting*",
"*meeting ID*",
"*participants*"
)
// suspicious recipients pattern
and (
any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
or length(recipients.to) == 0
)
// suspicious link
and not any(body.links,
.href_url.domain.root_domain in (
"zoom.us",
"zoom.com",
"emailprotection.link"
)
and any(.href_url.query_params_decoded['pwd'], . is not null)
)
and (
any(body.links,
.href_url.domain.tld in $suspicious_tlds
// country code second-level domain
or strings.istarts_with(.href_url.domain.tld, "com.")
or (
(
length(ml.link_analysis(.).files_downloaded) > 0
// Zoom logo on page
or ml.link_analysis(.).credphish.brand.name == "Zoom"
// blocked by a Cloudflare CAPTCHA
or strings.icontains(ml.link_analysis(.).final_dom.raw,
'https://challenges.cloudflare.com/turnstile/',
)
)
and ml.link_analysis(.).effective_url.domain.root_domain not in (
"zoom.us",
"zoom.com"
)
)
)
)
// negate auto-generated meeting summaries
and not (
strings.icontains(body.current_thread.text, "meeting summary")
and strings.icontains(body.current_thread.text,
"AI-generated content may be inaccurate or misleading."
)
)
and not (
subject.is_reply
or subject.is_forward
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)
// Not from a legitimate Zoom domain
and not (
sender.email.domain.root_domain in (
"zoom.us",
"zuora.com",
"zoomgov.com",
"zoom.com",
"zoom-x.de"
)
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.