type.inbound
and sender.email.domain.domain in $org_domains
// doesn't match an org display name (generic)
// we could make this more generic later
and sender.display_name not in $org_display_names
and any(headers.hops,
// find the hop Authentication-results for the org domain
.authentication_results.dmarc_details.from.domain in $org_domains
// internal domain is spoofable
and .authentication_results.dmarc == "none"
and .authentication_results.spf == "none"
and .authentication_results.compauth.verdict not in ("pass", "softpass")
)
and 3 of (
(
// low reputation / suspicious link
any(body.links,
.href_url.domain.root_domain not in $org_domains
and (
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
)
)
),
(
// sender domain matches no body domains
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
),
(
// suspicious domain in headers
any(headers.domains,
// it's not an org domain
.root_domain not in $org_domains
// low reputation
and .root_domain not in $alexa_1m
// no one has sent an email to it before
and .root_domain not in $recipient_domains
)
),
(
// suspicious language
any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign" and .confidence == "high"
)
),
(
// suspicious language
any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign" and .confidence == "high"
)
),
)
Playground
Test against your own EMLs or sample data.