type.inbound
and any($org_vips, strings.contains(sender.display_name, .display_name))
and not (
sender.email.domain.domain in $org_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
// W-2 Language with a request
and strings.contains(subject.base, 'W-2')
and strings.contains(body.current_thread.text, 'W-2')
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// deifferent reply-to address
and length(headers.reply_to) > 0
and sender.email.email not in map(headers.reply_to, .email.email)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.