@@ -61,10 +61,10 @@ source: |
6161 or .inner_text =~ "Social Security"
6262 )
6363 )
64-
64+
6565 // Not from a .gov domain
6666 and not (sender.email.domain.tld == "gov" and headers.auth_summary.dmarc.pass)
67-
67+
6868 // Additional suspicious indicator
6969 and (
7070 any(ml.nlu_classifier(body.current_thread.text).topics,
@@ -74,6 +74,8 @@ source: |
7474 or any(ml.nlu_classifier(body.current_thread.text).entities,
7575 .name == "org" and .text == "SSA"
7676 )
77+ or length(body.current_thread.text) == 0
78+ or body.current_thread.text is null
7779 or strings.icontains(body.current_thread.text, "SSA Statement Viewer")
7880 or strings.icontains(strings.replace_confusables(body.current_thread.text),
7981 "Social Security Statement"
@@ -110,16 +112,22 @@ source: |
110112 )
111113 )
112114 )
113- and not any(ml.nlu_classifier(body.current_thread.text).topics,
114- .name in (
115- "Newsletters and Digests",
116- "Advertising and Promotions",
117- "Events and Webinars",
118- "Charity and Non-Profit",
119- "Political Mail"
120- )
121- and .confidence == "high"
115+ and not (
116+ any(ml.nlu_classifier(body.current_thread.text).topics,
117+ .name in (
118+ "Newsletters and Digests",
119+ "Advertising and Promotions",
120+ "Events and Webinars",
121+ "Charity and Non-Profit",
122+ "Political Mail"
123+ )
124+ and .confidence == "high"
125+ )
126+ or any(ml.nlu_classifier(body.current_thread.text).intents,
127+ .name == "benign" and .confidence == "high"
128+ )
122129 )
130+
123131 // not a forward or reply
124132 and (headers.in_reply_to is null or length(headers.references) == 0)
125133 and (
@@ -146,4 +154,4 @@ detection_methods:
146154id : " 216897d2-a21f-54b7-9b5e-ab46d1b8bebd"
147155og_id : " 6196767e-6264-5833-96f3-d1e34424d7b5"
148156testing_pr : 4373
149- testing_sha : f15a3d595339e3465b0d5ee25ee1bbb14e67c086
157+ testing_sha : 0487b4a024ed503beb041e5223d88412701b4b6d
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments