type.inbound
and sender.email.local_part == 'support'
and 1 < length(filter(body.current_thread.links,
not regex.icontains(.href_url.url,
'\.(pdf|doc|docx|csv|xls|xlsx|ppt|pptx)'
)
)
) <= 5
and all(body.current_thread.links,
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == 'cred_theft' and .confidence != 'low'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == 'File Sharing and Cloud Services' and .confidence != 'low'
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.