type.inbound
and any(attachments,
.file_extension in~ ("au3", "a3x")
or (
.file_extension in $file_extensions_common_archives
and any(file.explode(.), .file_extension in~ ("au3", "a3x"))
)
)
and (
(
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ("new", "outlier")
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_false_positives
)
or sender.email.domain.domain == "delivrto.me"
)
Playground
Test against your own EMLs or sample data.