type.inbound
// one recipient and 1 cc
and length(recipients.to) == 1
and length(recipients.cc) == 1
// unsolicited
and not profile.by_sender().solicited
// recipients email matches the cc email
and any(recipients.to, any(recipients.cc, .email.email == ..email.email))
// body is short with spam keywords
and (
(
length(body.current_thread.text) < 150
and strings.ilike(body.current_thread.text,
"*congrat*",
"*win*",
"*expired*",
"*subscription*",
"*won*",
"*gift*",
"*CARTE CADEAU*",
"*Votre chance*",
"*survey*",
"*livraison*",
"*delivery*",
"*package*"
)
)
// body is super short
or length(body.current_thread.text) < 10
// body has no spaces
or regex.imatch(body.current_thread.text, '[^ ]+')
// subject is null
or subject.subject == ""
// dmarc failure
or not headers.auth_summary.dmarc.pass
// or display text contains suspicious terms
or any(body.links,
regex.icontains(.display_text,
'Congrat|Survey|package|delivery|\bclaim\b'
)
and not .href_url.domain.root_domain == "surveymonkey.com"
)
// compauth failure
or any(headers.hops,
.authentication_results.compauth.verdict not in (
"pass",
"softpass",
"none"
)
)
// all links display text is null or aka.ms
or (
length(filter(body.links,
(
(
.display_text is null
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
or .href_url.domain.root_domain in (
"aka.ms",
"mimecast.com",
"mimecastprotect.com",
"cisco.com"
)
)
)
) == length(body.links)
)
or (
// fake thread check
regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:.*')
and (
(length(headers.references) == 0 and headers.in_reply_to is null)
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
)
)
Playground
Test against your own EMLs or sample data.