type.inbound
and subject.is_reply
and sender.email.domain.root_domain not in $sender_domains
// current sender has not been seen in the thread before
and any(body.previous_threads,
length(regex.iextract(.preamble, '<(?P<previous_email>\S*)>')) > 0
and any(regex.iextract(.preamble, '<(?P<previous_email>\S*)>'),
strings.parse_email(.named_groups['previous_email']).domain.domain not in $org_domains
)
)
and all(body.previous_threads,
all(regex.iextract(.preamble, '<(?P<previous_email>\S*)>'),
strings.parse_email(.named_groups['previous_email']).domain.domain != sender.email.domain.domain
)
)
and any($sender_domains,
0 < strings.ilevenshtein(., sender.email.domain.root_domain) < 3
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "bec" and .confidence != "low"
)
// risky category
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Financial Communications",
"E-Signature",
"Benefit Enrollment"
)
and .confidence == "high"
)
and 1 of (
not network.whois(sender.email.domain).found,
any(body.previous_threads, strings.icontains(.preamble, sender.display_name))
)
and (
profile.by_sender_domain().prevalence == "new"
or profile.by_sender_domain().days_known < 3
)
Playground
Test against your own EMLs or sample data.