type.inbound
// Legitimate Intuit sending infratructure
and sender.email.email == "quickbooks@notification.intuit.com"
// remove payment confirmation messages
and not strings.starts_with(subject.subject, 'Payment confirmation:')
and body.html.raw is not null
// Comments contains suspicious phrases
and (
// several different templates where commonly observed, run regex for each template
any([
html.xpath(body.html,
'//span[@id="condensedEmailMessageSectionContentWebPlayer"]'
).nodes,
html.xpath(body.html, '//div[@id="emailContainer"]').nodes,
html.xpath(body.html, '//table[@width="700"][1]//tr/td').nodes,
html.xpath(body.html, '//tr[@class="email-header"]').nodes,
html.xpath(body.html, '//tr[@class="email-center"]').nodes,
html.xpath(body.html, '//div[@class="mlr22"]').nodes,
html.xpath(body.html, '//td[@class="itemDesc"]//div').nodes,
html.xpath(body.html, '//td[@class="shippingContent"]//div').nodes,
html.xpath(body.html, '//table[@class="shippingAndCustomLayout width100"]').nodes
],
any(.,
regex.icontains(.inner_text,
// subscription, renewals, verificaitons, etc
'(?:your subscription renewal|couldn.?t be processed|trouble renewing subscription|update your details|just update your|continue your subscription|prefer to use EFT|change payment method|verify your account|suspended due to issue|payment declined notice|account needs verification|confirm your billing|immediate action required|failed payment notification|billing information update|service interruption warning|unable to process payment|subscription payment failed|action needed now|update banking information|subscription expiration notice|payment method change|bill\s+to\s+subscriber)',
// callback wording
'recognize this seller?|For more info.{0,25}Call|To cancel.{0,25}Call|did not authorize',
)
)
)
)
Playground
Test against your own EMLs or sample data.