type.inbound
and 0 < length(body.links) < 15
and length(recipients.to) == 1
and recipients.to[0].email.domain.valid
and (
// portuguese tax document phrases
regex.icontains(body.current_thread.text,
'(?:documento fiscal|documento tributário|documento de imposto|documento de impostos|formulário fiscal|declaração de imposto|declaração de impostos|declaração fiscal|documentação fiscal|comprovante fiscal|certidão fiscal|certificado fiscal|registro fiscal|comprovativo fiscal)'
)
// spanish tax document phrases
or regex.icontains(body.current_thread.text,
'(?:Acessar Documento|Documento Fiscal|documento tributario|documento de impuestos|comprobante fiscal|constancia fiscal|declaración de impuestos|formulario fiscal|documentación fiscal|registro fiscal|certificado fiscal)'
)
)
// suspicious domains
and any(body.links,
.parser == 'hyperlink'
and (
.href_url.domain.domain in $url_shorteners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $self_service_creation_platform_domains
or .href_url.domain.root_domain in $self_service_creation_platform_domains
or network.whois(.href_url.domain).days_old < 30
)
and not .href_url.domain.root_domain in ('sharepoint.com', 'box.com')
)
// subject fields
and regex.icontains(subject.base, '(?:nf|\b[0-9]{7,10}\b|nota fiscal)')
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.