Google Accelerated Mobile Pages (AMP) abuse

type.inbound

// Any body links with a domain SLD of 'google' and a path starting with /amp
and any(body.links,
        .href_url.domain.sld == "google"
        and strings.starts_with(.href_url.path, "/amp/")

        // Brand Logo detected that is not google
        and (
          any(ml.logo_detect(file.message_screenshot()).brands,
              .name is not null and .name != "Google"
          )

          // or the page has a login or captcha
          or (
            ml.link_analysis(.).credphish.contains_login
            or ml.link_analysis(.).credphish.contains_captcha
          )

          // or linkanalysis concludes phishing of medium to high confidence
          or any([ml.link_analysis(.)],
                 .credphish.disposition == "phishing"
                 and .credphish.brand.confidence in ("medium", "high")
          )

          // or NLU detected cred theft on the landing page
          or any(file.explode(ml.link_analysis(.).screenshot),
                 any(ml.nlu_classifier(.scan.ocr.raw).intents,
                     .name == "cred_theft" and .confidence in ("medium", "high")
                 )

                 // captcha partially loaded
                 or strings.icontains(.scan.ocr.raw, "Checking if the site connection is secure")
          )

          // or the link display text contains "password"
          or strings.icontains(.display_text, "password")

          // or the link contains the recipients email in the url path
          or any(recipients.to, strings.icontains(..href_url.path, .email.email) and (.email.domain.valid or strings.icontains(.display_name, "undisclosed")))
        )
)