type.inbound
and sender.email.email == "noreply@appsheet.com"
and (
// recently registered or suspicious links
(
any(filter(body.links, .href_url.domain.root_domain != "appsheet.com"),
network.whois(.href_url.domain).days_old <= 10
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $url_shorteners
// account for URL rewrites
or (
any(.href_url.query_params_decoded['domain'],
(
. in $url_shorteners
or . in $free_subdomain_hosts
or . in $free_file_hosts
)
)
)
)
)
// suspicious display name
or (
regex.icontains(sender.display_name,
'(?:legal|misuse|compliance|violation|enforcement)',
// unicode blank character confusables in display name
'\x{00A0}|\x{1680}|\x{2000}|\x{200A}|\x{200B}|\x{202F}|\x{205F}|\x{3000}'
)
// commonly impersonated brands
or strings.ilike(strings.replace_confusables(sender.display_name),
'*Apple*',
'*Amazon*',
'*Binance*',
'*Facebook*',
'*Meta*',
'*Google*',
'*LinkedIn*'
)
)
// suspicious pattern in body
or regex.icontains(body.current_thread.text,
'(?:(Copyright|Advertising|Content|Data|Intellectual Property|I\.?\s?P\.?\b) (?:Polic(y|ies))|Violation|Contravention|Complaint|Misuse)|(?:(Enforce(ment)?|Required|Mandatory|Immediate) (?:Action|Response))|Cease (\&|and) Desist'
)
// NLU failsafe
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in~ ("cred_theft", "steal_pii", "job_scam")
and .confidence in~ ("medium", "high")
)
// negate the NLU result if there is only a single link leading back to AppSheet (likely benign)
and not (
length(body.links) == 1
and any(body.links,
.display_text == "Powered by AppSheet"
and .href_url.domain.root_domain == "appsheet.com"
)
)
)
)
// negate legitimate use of AppSheet within the org
and not (
length(headers.reply_to) is not null
and any(filter(headers.reply_to, .email.domain.root_domain != "appsheet.com"),
.email.domain.root_domain in~ $org_domains
or .email.domain.root_domain in~ $recipient_domains
)
)
Playground
Test against your own EMLs or sample data.