type.inbound
and any(filter(body.links,
.href_url.domain.root_domain == "trello.com"
and strings.istarts_with(.href_url.path, "/b/")
),
// avoid doing LinkAnalysis if the display-text has strong indications of phishing
(
// replace confusables - observed ITW
regex.icontains(strings.replace_confusables(.display_text),
'review|proposal|document|efax|restore|[o0]pen|secure|messaging|reset|account|verify|login|notification|alert|urgent|immediate|access|support|\bupdate\b|download|attachment|service|payment|remittance|invoice|rfp|rfi|pdf|doc'
)
and not regex.icontains(strings.replace_confusables(.display_text),
'customer service'
)
// add confidence to these strings by using profile.by_sender()
and (
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ('new', 'outlier')
)
)
or any(ml.link_analysis(.).additional_responses,
// less than 4 cards on the Trello board
length(.json['cards']) < 4
or any(.json['cards'],
// suspicious link in a card title
(
strings.parse_url(.['name']).domain.valid
and (
ml.link_analysis(strings.parse_url(.['name'])).credphish.disposition == "phishing"
or ml.link_analysis(strings.parse_url(.['name'])).credphish.contains_captcha
// CF Turnstile
or any(ml.link_analysis(strings.parse_url(.['name'])).unique_urls_accessed,
.domain.domain == "challenges.cloudflare.com"
)
)
)
// Trello detected a malicious card attachment
or .['badges']['maliciousAttachments'] > 0
)
// Trello has blocked the user account
or any(.json['members'], .['activityBlocked'] == true)
// the user is the sole member of their Trello account and is the admin
or (
length(.json['memberships']) == 1
and all(.json['memberships'], .['orgMemberType'] == "admin")
)
)
)
Playground
Test against your own EMLs or sample data.