type.inbound
and any(body.links,
.href_url.domain.root_domain == "issuu.com"
and .href_url.query_params == "fr=xKAE9_zU1NQ" // opens the document full screen
// suspicious link in the Issuu document
and (
any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
strings.icontains(.url.path, "/links/")
),
// less than 3 links in the Issuu document
length(.json["1"]) < 3
and any(.json["1"],
strings.parse_url(.["url"]).domain.tld in $suspicious_tlds
or strings.parse_url(.["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.["url"]).domain.root_domain in $free_subdomain_hosts
or ml.link_analysis(strings.parse_url(.["url"])).credphish.disposition == "phishing"
)
)
// or, credential phishing language on the page
or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
mode="aggressive"
).screenshot
).text
).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and not profile.by_sender_email().any_messages_benign
Playground
Test against your own EMLs or sample data.