type.inbound
// does not actually contain a PDF attachment
and not any(attachments, .file_extension == "pdf")
and (
// extract the first body link and compare to the sender's sld, look for less than 4 levenshtein distances or the exact match on the sld in URL ending in .pdf
any(regex.iextract(body.current_thread.links[0].display_text,
'(?P<starter>.*)\b\d+\.pdf$'
),
strings.ilevenshtein(.named_groups["starter"], sender.email.domain.sld) <= 4
)
or (
strings.istarts_with(body.current_thread.links[0].display_text,
sender.email.domain.sld
)
and regex.icontains(body.current_thread.links[0].display_text,
'\b\d+\.pdf$'
)
)
)
// cred theft intent or other request language
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
or any(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
regex.icontains(.text, 'please (?:see|find|click|(?:re)?view)')
)
)
// self sender pattern or sum of recipients is zero
and (
length(recipients.to) <= 1
and (
sender.email.email == recipients.to[0].email.email
or recipients.to[0].email.domain.valid == false
or sum([
length(recipients.to),
length(recipients.cc),
length(recipients.bcc)
]
) == 0
)
)
Playground
Test against your own EMLs or sample data.