type.inbound
and length(attachments) == 1
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
// credential theft language in the attached EML
and any(file.explode(.),
.depth > 0
and .scan.qr.type == "url"
// linkanalysis phishing disposition
and (
ml.link_analysis(.scan.qr.url).credphish.disposition == "phishing"
or (
strings.ilike(ml.link_analysis(.scan.qr.url).final_dom.display_text,
"*robot*",
"*session check*",
"*verify*",
"*human*"
)
and length(ml.link_analysis(.scan.qr.url).final_dom.display_text
) < 250
)
or any(ml.link_analysis(.scan.qr.url).unique_urls_accessed,
.domain.domain == "challenges.cloudflare.com"
and strings.icontains(.path, "turnstile")
)
or any(.scan.qr.url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
and .scan.qr.url.domain.root_domain not in $org_domains
)
)
Playground
Test against your own EMLs or sample data.