type.inbound
and any(body.links,
.href_url.domain.root_domain in~ ("notion.so", "notion.site")
and (
strings.ilike(.href_url.url,
'*shared*',
'*document*',
'*secure*',
'*office*',
'*important*',
'*wants-to*',
'*share*',
'*statement*'
)
or strings.ilike(.display_url.url,
'*shared*',
'*document*',
'*secure*',
'*office*',
'*important*',
'*wants-to*',
'*share*',
'*statement*'
)
or strings.ilike(.display_text,
'*shared*',
'*document*',
'*secure*',
'*office*',
'*important*',
'*wants-to*',
'*share*',
'*statement*'
)
)
)
and sender.email.domain.domain != 'mail.notion.so'
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.