Link: Abused Adobe Express

type.inbound
and any(filter(body.links,
               // the link is a new.express.adobe.com page
               .href_url.domain.domain == "new.express.adobe.com"
               and strings.starts_with(.href_url.path, "/webpage/")
        ),
        // filter down the links on express.adobe.com page to those that are external to adobe
        // check that the length of external links is reasonable
        length(distinct(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                               // filter any links on the adobe express page which are
                               // on express.adobe.com
                               .href_url.domain.domain != 'new.express.adobe.com'
                               // or www.adobe.com (privacy page/report abuse/etc)
                               and .href_url.domain.domain != 'www.adobe.com'
                               // relative links (no domains)
                               and .href_url.domain.domain is not null
                        ),
                        .href_url.domain.domain
               )
        ) <= 10
        and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                       // filter any links on the adobe express page which are
                       // on express.adobe.com
                       .href_url.domain.domain != 'new.express.adobe.com'
                       // or www.adobe.com (privacy page/report abuse/etc)
                       and .href_url.domain.domain != 'www.adobe.com'
                       // relative links (no domains)
                       and .href_url.domain.domain is not null
                ),
                (
                  // any of those links domains are new
                  network.whois(.href_url.domain).days_old < 30

                  // go to free file hosts
                  or .href_url.domain.root_domain in $free_file_hosts
                  or .href_url.domain.domain in $free_file_hosts

                  // go to free subdomains hosts
                  or (
                    .href_url.domain.root_domain in $free_subdomain_hosts
                    // where there is a subdomain
                    and .href_url.domain.subdomain is not null
                    and .href_url.domain.subdomain != "www"
                  )
                  // go to url shortners
                  or .href_url.domain.root_domain in $url_shorteners
                  or .href_url.domain.root_domain in $social_landing_hosts
                  or .href_url.domain.domain in $url_shorteners
                  or .href_url.domain.domain in $social_landing_hosts
                  or (
                    // find any links that mention common "action" words
                    regex.icontains(.display_text,
                                    '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
                    )
                    and (
                      // and when visiting those links, are phishing
                      ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"

                      // hit a captcha page
                      or ml.link_analysis(., mode="aggressive").credphish.contains_captcha

                      // or the page redirects to common website, observed when evasion happens
                      or (
                        length(ml.link_analysis(., mode="aggressive").redirect_history
                        ) > 0
                        and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
                      )
                    )
                  )
                )
        )
)
and profile.by_sender().prevalence != "common"