Link: Multistage landing - Published Google Doc

type.inbound
and not sender.email.domain.domain == "google.com"
and length(distinct(filter(body.links,
                           .href_url.domain.domain == "docs.google.com"
                    ),
                    .href_url.url
           )
) < 3
and any(filter(body.links,
               .href_url.domain.domain == "docs.google.com"
               and (
                 any(ml.nlu_classifier(.display_text).entities,
                     .name == "request"
                 )
                 or any(ml.nlu_classifier(.display_text).intents,
                        .name == "cred_theft"
                 )
               )
        ),
        strings.istarts_with(ml.link_analysis(., mode="aggressive").final_dom.display_text,
                             "Published using Google Docs"
        )
        // filter down to links in the document where the display text is suspicious
        and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
                       any(ml.nlu_classifier(.display_text).entities,
                           .name == "request"
                       )
                       or any(ml.nlu_classifier(.display_text).intents,
                              .name == "cred_theft"
                       )
                ),
                (
                  // any of those links domains are new
                  network.whois(.href_url.domain).days_old < 30

                  // go to free subdomains hosts
                  or (
                    .href_url.domain.root_domain in $free_subdomain_hosts
                    // where there is a subdomain
                    and .href_url.domain.subdomain is not null
                    and .href_url.domain.subdomain != "www"
                  )
                  // go to url shortners
                  or .href_url.domain.root_domain in $url_shorteners
                  or .href_url.domain.root_domain in $social_landing_hosts
                  or .href_url.domain.domain in $url_shorteners
                  or .href_url.domain.domain in $social_landing_hosts

                  // go to suspicious TLDs
                  or .href_url.domain.tld in $suspicious_tlds

                  // check for a second stage website that contains a suspicious link
                  // in other words, this LA call is inspecting links in sites on the Google Doc page
                  // we have seen Google Docs -> Google Slides (which this call is inspecting) -> malicious site
                  or any(ml.link_analysis(.href_url).final_dom.links,
                         .href_url.domain.root_domain in $free_file_hosts
                         or .href_url.domain.domain in $free_file_hosts
                         or (
                           .href_url.domain.root_domain in $free_subdomain_hosts
                           // where there is a subdomain
                           and .href_url.domain.subdomain is not null
                           and .href_url.domain.subdomain != "www"
                         )
                         or .href_url.domain.root_domain in $url_shorteners
                         or .href_url.domain.root_domain in $social_landing_hosts
                         or .href_url.domain.domain in $url_shorteners
                         or .href_url.domain.domain in $social_landing_hosts

                         // go to suspicious TLDs
                         or .href_url.domain.tld in $suspicious_tlds
                  )
                )
        )
)
and not (
  length(headers.reply_to) == 1
  and all(headers.reply_to, .email.domain.domain in $org_domains)
)