type.inbound
and any(body.links,
// contains family
regex.icontains(.href_url.fragment, 'Fa(?:m|rn)ily=')
// the href_url contains a valid baes64 encoded email
and (
any(strings.scan_base64(.href_url.fragment, ignore_padding=true),
strings.parse_email(.).domain.valid
// double base64 encoded.. yup
or any(strings.scan_base64(., ignore_padding=true),
strings.parse_email(.).domain.valid
)
)
or any(regex.iextract(.href_url.fragment,
'Fa(?:m|rn)ily=$?(?P<email_addy>[^&]+)'
),
// plain text email addresses
strings.parse_email(.named_groups["email_addy"]).domain.valid
// observed hex encoded email address in addition to the base64 encoded ones
or (
strings.icontains(.named_groups["email_addy"], '40')
and strings.icontains(.named_groups["email_addy"], '2e')
and length(.named_groups["email_addy"]) % 2 == 0
)
// sometimes the template messes up
or strings.icontains(.named_groups["email_addy"],
'sf_base64_enc'
)
// messed up in a different way
or regex.icontains(.named_groups["email_addy"],
'Fa(?:m|rn)ily'
)
)
)
)
Playground
Test against your own EMLs or sample data.