type.inbound
and (
any([body.current_thread.text, body.html.inner_text],
strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+ ")
)
// cloud emoji
or regex.contains(body.current_thread.text, '^\x{2601}')
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == 'cred_theft' and .confidence == 'high'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
'File Sharing and Cloud Services',
'Payment Information',
'Financial Communications'
)
and .confidence != 'low'
)
// sender domain matches no body domains
and length(filter(body.links,
.href_url.scheme != 'mailto'
and .href_url.domain.root_domain is not null
and .href_url.domain.root_domain != 'oracle.com'
)
) > 0
and all(filter(body.links,
.href_url.scheme != 'mailto'
and .href_url.domain.root_domain is not null
),
.href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
""
)
)
// negate legit cloud companies
and not (
coalesce(sender.email.domain.root_domain, "") in (
"cloud-cme.com",
"cloudcounting.online",
"cloudhealthtech.com",
"cloudpano.com"
)
// check for SPF or DMARC passed
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// negate Spark Cloud Attachments
and not any(headers.hops,
.index == 0
and any(.fields,
.name == "X-Readdle-Spark-Cloud-Attachment"
and .value is not null
)
)
and not (
sender.email.email == "noreply@icloud.com.cn"
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.