type.inbound
// check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
// and length(attachments) < 10
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains
and (
any(recipients.to,
.email.domain.valid
and (
strings.icontains(..scan.qr.data, .email.email)
or (
// recipient email found in qr data base64 encoded
any(beta.scan_base64(..scan.qr.data, format="url"),
strings.icontains(., ..email.email)
)
)
)
)
and .scan.qr.url.domain.root_domain not in $org_domains
)
)
)
// NLU has identified cred_theft language with high confidence
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or
// the attachment contains suspicious strings
(
any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(.,
'(\b2fa\b|\bQ.?R\.?\s?\b|MFA|Muti[ -]?Factor Auth(entication)?)'
)
)
)
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or (
sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.