type.inbound
and (
any(body.links,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.href_url.domain.domain not in $free_file_hosts
and .href_url.domain.root_domain not in $free_file_hosts
and .href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .href_url.domain.root_domain not in $tranco_1m
and .href_url.domain.root_domain not in $umbrella_1m
and .href_url.domain.root_domain not in $free_subdomain_hosts
and .href_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
or any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
// filter potentially known good domains
// prevents FPs on entries such as drive[.]google[.]com, or
// other accidental pushes to the List
.domain.domain not in $free_file_hosts
and .domain.root_domain not in $free_file_hosts
and .domain.domain not in $free_subdomain_hosts
and .domain.domain not in $tranco_1m
and .domain.domain not in $umbrella_1m
// this ensures we don't flag on legit FQDNs that
// aren't in the Tranco 1M, but their root domains are
// eg: support[.]google[.]com
and .domain.root_domain not in $tranco_1m
and .domain.root_domain not in $umbrella_1m
and .domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
)
)
)
)
Playground
Test against your own EMLs or sample data.