type.inbound
and any(body.links,
any(file.explode(ml.link_analysis(.).final_dom),
any(.flavors.yara, . == 'javascript_file') and
// File System API elements for:
// - installing event listener for file/dir drop (not essential to attack)
// - getting handle to file/dir
// - requesting permissions to read and/or write to file
// - reading file content
length(filter(['addEventListener', 'requestPermission', 'getAsFileSystemHandle', 'getFile'],
. in ..scan.javascript.identifiers
)) >= 3 and
// Elements for:
// - installing event listener to trigger on file dragged and dropped onto page
// - one of read/write permission combinations
any(['drop', 'read', 'readwrite'],
. in ..scan.javascript.strings
)
) or
// Identical to the above but cover the case that it's a downloaded file
any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
any(.flavors.yara, . == 'javascript_file') and
length(filter(['addEventListener', 'requestPermission', 'getAsFileSystemHandle', 'getFile'],
. in ..scan.javascript.identifiers
)) >= 3 and
any(['drop', 'read', 'readwrite'], . in ..scan.javascript.strings)
)
)
)
and (
(
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ("new", "outlier")
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or sender.email.domain.domain == "delivrto.me"
)
Playground
Test against your own EMLs or sample data.