type.inbound
and 0 < length(body.links) <= 10
and any(body.links,
(
strings.icontains(.href_url.path, "/.well-known/")
and (
// well-known with a directory behind it
regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
// or a fragment in the url
or .href_url.fragment is not null
)
)
or strings.icontains(.href_url.path, "/.js/")
or strings.icontains(.href_url.path, "/.env/")
or strings.icontains(.href_url.path, "/.git/")
or strings.icontains(.href_url.path, "/.svn/")
or strings.icontains(.href_url.path, "/.hg/")
or strings.icontains(.href_url.path, "/.DS_Store/")
or strings.icontains(.href_url.path, "/.htpasswd/")
or strings.icontains(.href_url.path, "/.htaccess/")
or strings.icontains(.href_url.path, "/.bash_history/")
or strings.icontains(.href_url.path, "/.bashrc/")
or strings.icontains(.href_url.path, "/.zshrc/")
or strings.icontains(.href_url.path, "/.profile/")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.