type.inbound
and any(attachments,
.file_extension == "zpaq" or
any(file.explode(.),
.file_extension == "zpaq" or
any(.scan.yara.matches,
.name == "SUSP_ZPAQ_Archive_Nov23"
)
)
)
and (
(
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ("new", "outlier")
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_false_positives
)
or sender.email.domain.domain == "delivrto.me"
)
Playground
Test against your own EMLs or sample data.