type.inbound
// more than 0 but less than 20 links
and 0 < length(body.links) < 20
// all attachments are images or there are 0 attachments
and (
length(attachments) > 0 and all(attachments, .file_type in $file_types_images)
or length(attachments) == 0
)
// subject contains payment/invoice language
and (
any(ml.nlu_classifier(subject.subject).tags, .name in ("payment", "invoice"))
or regex.contains(subject.subject,
'(?:\binv(?:oice|o)\b|in_v|in-voice|pay(?:ment|mnt)|pymt|\brec(?:eipt|pt|iept)\b|rcpt|confirm(?:ation)|cnfrm|cnf|po\b|p\.o\.|purch(?:ase)?-?order|\bord(?:er)?\b|bill(?:ing)|billing-info|transact(?:ion)|txn|trx|\bstmt\b|\bstmnt\b|remit(?:tance)|rmt|remndr|remind|\bdue(?:-date)\b|ovrdue|overdue|\bbal(?:ance)\b|\bpaid(?:-invoice)\b|requires\s+your\s+a(?:ttention|ction)|\b[fF]inal\s+(?:[nN]otice|[uU]npaid).{0,20}[iI]nvoice)',
// suspicious invoice format
'\d{6}\b.{10,30}(\d{2}\.){3}pdf'
)
)
// link display text ends in a file extension or contain common payment terms
and (
any(body.links,
regex.imatch(.display_text,
'.*\.(?:doc|docm|docx|dot|dotm|pdf|ppa|ppam|ppsm|ppt|pptm|pptx|wbk|xla|xlam|xlm|xls|xlsb|xlsm|xlsx|xlt|xltm)$'
)
)
or any(body.links,
regex.icontains(.display_text,
'(?:\binv(?:oice|o)\b|in_v|in-voice|pay(?:ment|mnt)|pymt|\brec(?:eipt|pt|iept)\b|rcpt|req(?:uest)|rqst|\brq\b|\bpo\b|p\.o\.|purch(?:ase)?-?order|\bord(?:er)?\b|bill(?:ing)|billing-info|transact(?:ion)|txn|trx|\bstmt\b|\bstmnt\b|remit(?:tance)|rmt|remndr|remind|\bdue(?:-date)\b|ovrdue|overdue|\bbal(?:ance)\b|\bpaid(?:-invoice)\b|completed\s+doc(?:s|ument|uments)?\b)'
)
)
or (
any(body.links,
regex.icontains(.display_text, '\bview\s+(invoice|attachment)')
)
and any([body.plain.raw, body.html.inner_text],
any(ml.nlu_classifier(.).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
// the body references an attachment
and (
strings.contains(body.current_thread.text, "attach")
// negate warning banners warning about the attachment(s)
and (
not (
(
regex.count(body.current_thread.text, "attach") == 1
and regex.icontains(body.current_thread.text,
"(caution|warning).{0,30}attach"
)
)
or ( // WeTransfer expiry warning notification
sender.email.email == "noreply@wetransfer.com"
and any(body.links,
.display_text == "Don't send me these expiry reminders anymore"
)
)
)
)
)
// body text is determined to contain cred_theft language by nlu or contains a request with suspicious keywords
and (
not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Shipping and Package", "Order Confirmations")
and .confidence == "high"
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft"
)
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
and (
strings.icontains(.text, "kindly")
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
Playground
Test against your own EMLs or sample data.