Attachment: Compensation review lure with QR code

type.inbound
and (
  (
    length(attachments) == 1
    and any(attachments,
            .content_type == "application/pdf" or .file_type == "pdf"
    )
  )
  and (
    // short or null message body
    (
      length(body.current_thread.text) < 500 or body.current_thread.text is null
    )
    // ignore disclaimers in body length calculation
    or (
      any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
                     .name == "disclaimer"
              ),
              .text
          ),
          (length(body.current_thread.text) - length(.)) < 500
      )
    )
  )
)
and (
  // attached PDF contains a compensation review themed lure with a QR code and suspicious indicators
  any(attachments,
      // add conditions for pdf attachment
      (
        regex.icontains(.file_name,
                        'salary|pay(?:roll)|bonus|comp(?:ensation|liance|\b)|remuneration|disbursement|incentive|merit|vesting'
        )
        // recipient email SLD in filename
        or any(recipients.to,
               strings.icontains(..file_name, .email.domain.sld)
               and .email.domain.valid
        )
      )
      // add conditions for text and any QR code within the pdf attachment
      and (
        // conditions for QR code via text
        any(file.explode(.),
            any([.scan.strings.raw, .scan.ocr.raw],
                regex.icontains(., 'scan|camera')
                and regex.icontains(., '\bQR\b|Q\.R\.|barcode')
            )
        )
        or any(file.explode(.),
               .scan.qr.type == "url" and .scan.qr.url.domain.valid
        )
      )
      // conditions for text
      and any(file.explode(.),
              // review/change terms in file content      
              any([.scan.strings.raw, .scan.ocr.raw],
                  (
                    regex.icontains(.,
                                    '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (?:increment|deduction))\b'
                    )
                  )
              )
              or (
                // recipient local_part in attachment body
                any(recipients.to,
                    strings.contains(..scan.ocr.raw, .email.local_part)
                )
                and (
                  // NLU cred_theft disposition
                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
                      .name == "cred_theft" and .confidence != "low"
                  )
                  // suspicious topics
                  and any(ml.nlu_classifier(.scan.ocr.raw).topics,
                          .name in (
                            "Benefit Enrollment",
                            "Financial Communications"
                          )
                          and .confidence != "low"
                  )
                )
              )
      )
  )
)
and (
  not profile.by_sender_email().solicited
  or not profile.by_sender_email().any_messages_benign
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  // account for spoofed sender domains
  or (
    sender.email.domain.domain in $org_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)