type.inbound
// credential theft or scam intent
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "job_scam") and .confidence != "low"
)
// employer/workplace review solicitation phrasing
and regex.icontains(body.current_thread.text,
'\brate\s+(?:your\s+)?(?:employer|workplace|job)\b',
'\breview\s+(?:your\s+)?(?:experience\s+(?:at|with)\s+(?:your|the)\s)',
'\b(?:employer|workplace|job)\s+(?:review|rating|feedback)\b',
'\bleave\s+(?:a\s+)?(?:review|rating).{0,40}(?:employer|workplace|job)',
'(?:glassdoor|comparably|great\s+place\s+to\s+work|kununu|jobcase).{0,40}(?:review|rate|rating|feedback)'
)
and (
// credential harvesting
regex.icontains(body.current_thread.text,
'(?:enter|provide|confirm|verify).{0,40}(?:password|credentials|login|email\s+and\s+password)',
'verify\s+your\s+(?:identity|eligibility|account|profile)',
'(?:password|credential|login).{0,30}(?:enter|provide|confirm|verify|required)'
)
// or monetary incentive
or regex.icontains(body.current_thread.text,
'gift.?card',
'(?:receive|earn|get|claim).{0,30}[\$€£]\d+',
'[\$€£]\d+.{0,30}(?:gift|reward|credit|incentive|voucher|bonus|prize)',
'token\s+of\s+(?:our\s+)?(?:appreciation|thanks|gratitude)'
)
)
// negating legitimate/trusted employer review/rating senders
and not (
(
sender.email.domain.root_domain in (
'comparably.com',
'greatplacetowork.com',
'builtin.com',
'lensa.com',
'ziprecruiter.com',
'kununu.com',
'jobcase.com',
'trustpilot.com'
)
or sender.email.domain.root_domain in $high_trust_sender_root_domains
)
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// subject cites employer review / rating / feedback context
and regex.icontains(subject.subject,
'\breview\b',
'\brating\b',
'\brate\b',
'\bfeedback\b',
'\btestimonial\b',
'\b(?:employer|workplace|company|employee|job)\b',
'\b(?:glassdoor|indeed|linkedin|comparably|great\s+place\s+to\s+work|built\s?in|lensa|ziprecruiter|kununu|jobcase|trustpilot)\b',
'\bexperience\b',
'\bsurvey\b',
'\bopinion\b'
)
Playground
Test against your own EMLs or sample data.