type.inbound
and sender.email.domain.root_domain == "zoom.us"
and strings.ends_with(sender.display_name, "Zoom Docs")
and (
any(html.xpath(body.html, '//h2').nodes,
// extract the sender email out of the message body
any(regex.iextract(.display_text,
'^(?P<sender_display_name>[^\(]+)\((?P<sender_email>[^\)]+@(?P<sender_domain>[^\)]+))\)'
),
.named_groups["sender_domain"] not in $org_domains
and .named_groups["sender_email"] not in $recipient_emails
and .named_groups["sender_email"] not in $sender_emails
and not (
.named_groups["sender_domain"] not in $free_email_providers
and .named_groups["sender_domain"] in $recipient_domains
and .named_groups["sender_domain"] in $sender_domains
)
)
)
or any(body.links,
.href_url.domain.domain == "docs.zoom.us"
and any(filter(ml.link_analysis(., mode="aggressive").final_dom.links,
.href_url.domain.root_domain != 'zoom.us'
and .href_url.domain.domain != 'zoom.us'
),
(
// any of those links domains are new
network.whois(.href_url.domain).days_old < 30
// go to free file hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.domain in $free_file_hosts
// go to free subdomains hosts
or (
.href_url.domain.root_domain in $free_subdomain_hosts
// where there is a subdomain
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
// go to url shortners
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.domain in $url_shorteners
or (
// find any links that mention common "action" words
regex.icontains(.display_text,
'(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.