type.inbound
and any(body.links,
strings.iends_with(.href_url.path, '.svg')
and any(recipients.to,
.email.domain.valid
// contained in the url
and (
strings.icontains(..href_url.url, .email.email)
// or contains the base64 endcoded email
or any(strings.scan_base64(..href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ..email.email)
)
)
)
)
Playground
Test against your own EMLs or sample data.