On Tue, 8 May 2018 16:02:32 -0400 Alex wrote: > Hi, > Does anyone have any special techniques for catching these invoice > phish emails? > > https://pastebin.com/raw/TfvhUu0X
I think this may be worth a try: uri_detail INSECURE_INVOICE_LINK text =~ /\binvoices?\b/i cleaned=~ /http:/i It's looking for html links where the tag mentions invoice, but the link is not secure.