type.inbound
and (
// attached html/svg
any(filter(attachments, .file_type in ("html", "svg")),
regex.count(file.parse_text(.).text,
'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
) >= 3
or (
strings.icontains(file.parse_text(.).text, 'const baseDomain')
and strings.icontains(file.parse_text(.).text, 'const port')
and strings.icontains(file.parse_text(.).text, 'const path')
)
or strings.icontains(file.parse_text(.).text, 'impact?')
or regex.contains(file.parse_text(.).text, '\d/impact')
)
// attached EMLs with html/svg attachments
or any(filter(attachments,
.content_type == "message/rfc822" or .file_extension == "eml"
),
any(filter(file.parse_eml(.).attachments,
.file_type in ("html", "svg")
),
regex.count(file.parse_text(.).text,
'const (?:urlParts|fakeEvent|progressBar|progressInterval|segments|statusText|statusText|securityNotice|statusMessages|challengeForm|challengeRunning|challengeSuccess|successText|verifyingText|encodedTarget|baseDomain|newDynamicParam|statusElement)\s*='
) >= 3
or (
strings.icontains(file.parse_text(.).text, 'const baseDomain')
and strings.icontains(file.parse_text(.).text, 'const port')
and strings.icontains(file.parse_text(.).text, 'const path')
)
or strings.icontains(file.parse_text(.).text, 'impact?')
or regex.contains(file.parse_text(.).text, '\d/impact')
)
)
// direct body links
or any(body.links,
(
strings.icontains(.href_url.url, "impact?session_")
or strings.icontains(.href_url.url, "/impact")
)
and (
strings.icontains(.href_url.url, ":8443")
or strings.icontains(.href_url.url, ":2087")
)
)
)
Playground
Test against your own EMLs or sample data.