type.inbound
// CTA link with action-oriented display text pointing to a different domain than the sender
and any(body.current_thread.links,
regex.icontains(.display_text,
'(?:open|sign.?in|log.?in|retain|credential|secure|confirm|accept|release|document)'
)
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
// tall rendered email with low word density
and beta.parse_exif(file.message_screenshot()).image_height > 1500
and beta.parse_exif(file.message_screenshot()).image_height * 100 / regex.count(body.html.display_text,
'\S+'
) > 500
// html whitespace stuffing patterns
and (
// bare div-br blocks repeated 30+ times
regex.icontains(body.html.raw, '(?:<div>\s*<br\s*/?\s*>\s*</div>\s*){30,}')
// style div-br blocks repeated 20+ times
or regex.icontains(body.html.raw,
'(?:<div\s+style="[^"]+"\s*[^>]*>\s*<br\s*/?\s*>\s*</div>\s*){20,}'
)
// p-nbsp blocks repeated 25+ times
or regex.icontains(body.html.raw,
'(?:<p>\s*(?: | )\s*</p>\s*){25,}'
)
// css margin-top pushdown >= 1500px
or (
regex.icontains(body.html.raw,
'margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
and not regex.icontains(body.html.raw,
'position\s*:\s*absolute[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
and not regex.icontains(body.html.raw,
'margin-left\s*:\s*\d{3,}px[^"]*margin-top\s*:\s*(?:1[5-9]\d{2}|[2-9]\d{3}|\d{5,})px'
)
)
)
Playground
Test against your own EMLs or sample data.