type.inbound
//
and not profile.by_sender().solicited
// not high trust sender domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and
// any of the body links, contain the recipient domain repeating multiple times in a link path
any(
// make a list of distinct email slds
distinct(map(recipients.to, .email.domain.sld)),
// take the list of slds and cat it into a string of /sld/sld/ and search for it in links
any(body.links, strings.icontains(.href_url.path, strings.concat("/", .., "/", .., "/")))
)
Playground
Test against your own EMLs or sample data.