type.inbound
// levenshtein distance (edit distance) between the SLD of the link and the sender domain is greater than 0 and less than or equal to 2.
// This detects typosquatting or domains that are deceptively similar to the sender.
and any(body.links,
length(.href_url.domain.sld) > 3
and 0 < strings.levenshtein(.href_url.domain.sld,
sender.email.domain.sld
) <= 2
// exclude onmicrosoft.com
and not sender.email.domain.root_domain == "onmicrosoft.com"
and (
// domains are not registered or registered within 90d
// network.whois(.href_url.domain).found == false
network.whois(.href_url.domain).days_old <= 90
or network.whois(sender.email.domain).found == false
or network.whois(sender.email.domain).days_old <= 90
)
)
// the mesasge is intent is BEC or Cred Theft, or is talking about financial invoicing/banking language, or a request contains "kindly"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "cred_theft")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
and (
.text in ("invoice", "banking information")
or .name == "request" and strings.icontains(.text, "kindly")
)
)
)
Playground
Test against your own EMLs or sample data.