type.inbound
and (
length(recipients.to) > 10
and length(filter(recipients.to,
.email.domain.domain not in $org_domains
and .email.email not in $recipient_emails
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
) >= 10
)
and (
strings.ilike(subject.subject,
'*<*script*>*',
'*xss.report*',
'*eval(atob*',
'*<*onload*>*',
'*<*onerror*>*'
)
or strings.ilike(body.current_thread.text,
'*<*script*>*',
'*xss.report*',
'*eval(atob*',
'*<*onload*>*',
'*<*onerror*>*'
)
)
and (
length(body.links) == 0
or (
length(body.links) == 1
and all(body.links, .href_url.domain.domain == "this.id")
)
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.