type.inbound
and sender.email.domain.root_domain not in $tranco_50k
// few body links
and length(body.links) < 20
// Adding loop of different query param values
// https://github.com/fin3ss3g0d/evilgophish/blob/main/replace_rid.sh
and any(["mid", "rid"],
any(body.links,
// not a common marketing url rewriter
not .href_url.domain.root_domain == "vtiger.com"
and not strings.icontains(.href_url.url, "vtiger.com")
// myshopify return tracking numbers
and not (
length(.href_url.query_params_decoded["tracking_number"]) == 1
and length(.href_url.query_params_decoded[..]) == 1
)
// the mid value present
and length(.href_url.query_params_decoded[..]) == 1
// the mid value is 7 bytes
and length(.href_url.query_params_decoded[..][0]) == 7
// contains letters and numbers
and regex.imatch(.href_url.query_params_decoded[..][0],
'^[a-z0-9]{7}$'
)
and not regex.match(.href_url.query_params_decoded[..][0],
// not just numbers - ~0.00046% chance of being all numbers
'^[0-9]{7}$',
// not just lower case letters ~0.31% chance of all lowercase
'^[a-z]{7}$',
// not just upper case letters ~0.31% chance of being all uppercase
'^[A-Z]{7}$',
// a single letter followed by digits has ~0.00151% chance
'^[A-Za-z]\d{6}$'
)
// and not a common value observed in benign samples
and not .href_url.query_params_decoded[..][0] == "Emailer"
// .href_url.query_params_decoded is the wrong type for length
// so count the number of param values, and ensure it's 3 or less
and regex.icount(.href_url.query_params, '=[^\=]+(?:&|$)') <= 3
)
)
// not high trust sender domains
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
and not profile.by_sender_email().any_messages_benign
Playground
Test against your own EMLs or sample data.