type.inbound
// single file/directory under wp-admin which doesn't contain a .
and any(body.links,
regex.icontains(.href_url.path, '^/wp-admin/[^/\.]+/?$')
// domain is not the same as the sender domain
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
and not (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
// website security companies that send reports via email
or sender.email.domain.root_domain in ('imperva.com', 'urllo.com')
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.