sublime-security · peterdj45 · Jan 8, 2026
@@ -11,49 +11,6 @@ source: |
     and headers.auth_summary.dmarc.pass
   )
   and any(body.links, .display_text in~ ("Pay Now", "Accept Access"))
-  and (
-    (
-      any(ml.nlu_classifier(body.current_thread.text).intents,
-          .name in~ ("callback_scam", "cred_theft", "extortion")
-          and .confidence == "high"
-      )
-    )
-    // manual extortion indicators
-    or (
-      regex.icontains(sender.display_name,
-                      'big(\s|[[:punct:]])?brother|seeing(\s|[[:punct:]])?eye'
-      )
-      or regex.icontains(body.current_thread.text,
-                         '((I|you).{0,25}(leak|compromise|hack|see|record|expose))|(dirty|little) secret'
-      )
-    )
-    // manual callback phishing indicators
-    or (
-      // phone number in display name or subject
-      any([sender.display_name, subject.base],
-          regex.icontains(.,
-                          '\b\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\b'
-          )
-      )
-      // references commonly impersonated brands in body
-      or strings.ilike(strings.replace_confusables(body.current_thread.text),
-                       "*Pay?Pal*",
-                       "*Best?Buy*",
-                       "*Geek?Squad*",
-      )
-    )
-    // emojis in link display text
-    or any(body.links,
-           regex.contains(.display_text,
-                          '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
-           )
-    )
-    // links leading to cloudflare R2 or edge services
-    or any(body.links,
-           .href_url.domain.root_domain in~ ("r2.dev", "pages.dev", "workers.dev")
-    )
-  )
-
 attack_types:
   - "Callback Phishing"
   - "Extortion"