type.inbound
and any(headers.domains, .tld in ("ru", "su"))
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and 0 < length(body.links) < 5
and any(body.links,
beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
or (
strings.icontains(beta.linkanalysis(., mode="aggressive").final_dom.raw,
"Pàsswórd"
)
and (
beta.linkanalysis(., mode="aggressive").credphish.contains_login
or beta.linkanalysis(.).credphish.contains_captcha
)
)
or beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.