Link: Display text matches subject line

type.inbound

// short body
and length(body.current_thread.text) < 1500

// suspicious recipient patterns
and (
  // recipient email is contained within the body
  (
    length(recipients.to) == 1
    and all(recipients.to,
            strings.icontains(body.current_thread.text, .email.email)
    )
  )
  // the sender is the recipient
  or sender.email.email in map(recipients.to, .email.email)
  // none of the recipients are valid (generally undisclosed recipients)
  or not all(recipients.to, .email.domain.valid)
)
// few overall links
and length(body.links) < 10
// none of the links are unsubscribe links
and not any(body.links,
            strings.icontains(.display_text, 'unsub')
            or strings.icontains(.href_url.url, 'unsub')
            or strings.icontains(.display_text, 'optout')
            or strings.icontains(.href_url.url, 'optout')
            or strings.icontains(.display_text, 'subscription')
            // google confidential email use the subject as a link
            or .href_url.domain.domain == "confidential-mail.google.com"
)

// even fewer links which are
and 0 < length(filter(body.links,
                      // not related to the sender domain
                      .href_url.domain.root_domain != sender.email.domain.root_domain
                      // not related to the recipient domain
                      and not any(recipients.to,
                                  .email.domain.root_domain == ..href_url.domain.root_domain
                      )
                      // filter out links common in signatures
                      and not .href_url.domain.root_domain in (
                        "facebook.com",
                        "instagram.com",
                        'twitter.com',
                        'x.com'
                      )
                      // do not contain a display_text (TP samples have the display_text of the subject)
                      // // this removes domains found in signatures
                      and .display_text is not null
                      // not the aka.ms in warning banners
                      and not .href_url.domain.domain == "aka.ms"
               )
) <= 3

// exactly one link with display text that matches the subject
and length(filter(body.links, subject.subject =~ .display_text)) == 1
and (
  // the link with the display_text of the subject
  any(filter(body.links, subject.subject =~ .display_text),
      // when visited is phishing
      ml.link_analysis(.).credphish.disposition == "phishing"
      or ml.link_analysis(.).final_dom.display_text == "Verify you are human"
      or .href_url.domain.root_domain in $self_service_creation_platform_domains
      or .href_url.domain.domain in $self_service_creation_platform_domains
      or .href_url.domain.domain in $url_shorteners
  )
  // or the body is cred_theft
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft"
  )
)

// the display text of a link is the subject
and subject.subject in map(body.links, .display_text)

// exclude common in signup links/password resets which are observed in links all the time
and not (
  strings.icontains(subject.subject, 'confirm')
  or strings.icontains(subject.subject, 'activate')
  or strings.icontains(subject.subject, 'reset')
  or strings.icontains(subject.subject, 'unlock')
  or strings.icontains(subject.subject, 'login')
  or strings.icontains(subject.subject, 'log in')
)