type.inbound
// Any link we identify as a brand with
// above medium confidence, classified as phishing
and any(body.links,
beta.linkanalysis(.).credphish.brand.name is not null and
beta.linkanalysis(.).credphish.brand.confidence in ("high", "medium") and
beta.linkanalysis(.).credphish.disposition == "phishing"
)
and (
(
not profile.by_sender_email().solicited
and profile.by_sender_email().prevalence in ("new", "outlier")
)
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_false_positives
)
or sender.email.domain.domain == "delivrto.me"
)
Playground
Test against your own EMLs or sample data.