type.inbound
// All attachments are images or 0 attachments
and (
(length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
or length(attachments) == 0
)
and sender.email.domain.root_domain not in $org_domains
// negate auth'ed google messages
and not (
sender.email.domain.sld == "google"
and sender.email.local_part in ("googlealerts-noreply", "comments-noreply")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// With a Google Redirect
and any(body.links,
(
.href_url.domain.sld == "google"
and .href_url.path == "/url"
and regex.contains(.href_url.query_params, "hl=.{2}&q=http(s)?://")
)
or any(.href_url.rewrite.encoders, . == 'google_open_redirect')
)
and 2 of (
// Not a google logo
any(attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands, not strings.starts_with(.name, "Google"))
or any(ml.logo_detect(file.message_screenshot()).brands,
not strings.starts_with(.name, "Google")
)
)
),
// Body analysis - NLU - Credential theft
(
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in~ ("medium", "high")
)
),
// Image analysis - NLU - Credential theft language
(
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
)
)
),
// Content analysis - Body - Urgency
(
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
),
// White font is found in html raw
(
length(body.html.display_text) < 500
and regex.icontains(body.html.raw,
'<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
)
)
// domains using .app matching this pattern observed abusing google's redirect
or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
)
Playground
Test against your own EMLs or sample data.