Attachment: Callback phishing solicitation via text-based file

type.inbound
and length(subject.subject) <= 10
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
  length(body.links) == 0
  or length(filter(body.links,
                   (
                     .display_text is null
                     and .display_url.url == sender.email.domain.root_domain
                   )
                   or .href_url.domain.domain == "aka.ms"
                   or network.whois(.display_url.domain).days_old < 30
            )
  ) == length(body.links)
)
and (body.current_thread.text is null or length(body.current_thread.text) < 50)
and 0 < length(attachments) < 4
and any(attachments,
        (
          .content_type == "text/plain"
          or .file_type in ("doc", "docx", "xls", "xlsx")
        )
        and any(file.explode(.),
                (.depth == 0 or .flavors.mime == "text/plain")
                // 4 of the following strings are found        
                and 4 of (
                  // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
                  strings.icontains(.scan.strings.raw, "purchase"),
                  strings.icontains(.scan.strings.raw, "payment"),
                  strings.icontains(.scan.strings.raw, "transaction"),
                  strings.icontains(.scan.strings.raw, "subscription"),
                  strings.icontains(.scan.strings.raw, "antivirus"),
                  strings.icontains(.scan.strings.raw, "order"),
                  strings.icontains(.scan.strings.raw, "support"),
                  strings.icontains(.scan.strings.raw, "help line"),
                  strings.icontains(.scan.strings.raw, "receipt"),
                  strings.icontains(.scan.strings.raw, "invoice"),
                  strings.icontains(.scan.strings.raw, "call"),
                  strings.icontains(.scan.strings.raw, "helpdesk"),
                  strings.icontains(.scan.strings.raw, "cancel"),
                  strings.icontains(.scan.strings.raw, "renew"),
                  strings.icontains(.scan.strings.raw, "refund"),
                  regex.icontains(.scan.strings.raw, "(?:reach|contact) us at"),
                  strings.icontains(.scan.strings.raw, "+1"),
                  strings.icontains(.scan.strings.raw, "amount"),
                  strings.icontains(.scan.strings.raw, "charged"),
                  strings.icontains(.scan.strings.raw, "crypto"),
                  strings.icontains(.scan.strings.raw, "wallet address"),
                  regex.icontains(.scan.strings.raw, '\$\d{3}\.\d{2}\b'),
                  regex.icontains(.scan.strings.raw,
                                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                                  '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
                  ),
                )
                // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
                and regex.icontains(.scan.strings.raw,
                                    '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
                )
        )
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)