Brand impersonation: Adobe Sign with suspicious indicators

type.inbound
and length(filter(attachments, .file_type == "pdf")) == 0
and (
  regex.icontains(body.html.raw,
                  'alt="Adobe Acrobat Sign"',
                  "adobe-sign-logo.{0,20}.png",
                  'alt="Powered by Adobe Acrobat Sign"'
  )
  or any(html.xpath(body.html, "//img/@src").nodes,
         strings.parse_url(.raw).domain.root_domain == "adobesign.com"
         and (
           strings.istarts_with(strings.parse_url(.raw).path, "/cobrand_logo/")
           or strings.icontains(strings.parse_url(.raw).path, "checkmarkCircle")
         )
  )
)
and not (
  // inspect the "oldest" thread, negate where that thread is the original Adobe Sign email (based on link domains)
  (
    length(body.previous_threads[length(body.previous_threads) - 1].links) > 0
    and all(body.previous_threads[length(body.previous_threads) - 1].links,
            .href_url.domain.root_domain in (
              "aka.ms",
              "adobe.com",
              "adobesign.com",
              "echosign.com",
              "adobesignsandbox.com",
              "mimecastprotect.com",
              "mimecast.com"
            )
            or .href_url.domain.root_domain in $org_domains
            or .href_url.domain.root_domain == sender.email.domain.root_domain
            or any(recipients.to,
                   .email.domain.root_domain == ..href_url.domain.root_domain
            )
    )
  )
  // legit review button
  or any(body.links,
         .display_text in (
           "Review and sign",
           "the document",
           "Open agreement",
           "VIEW DOCUMENTS",
           "Click here to review and sign"
         )
         and (
           .href_url.domain.root_domain in (
             "adobe.com",
             "adobesign.com",
             "echosign.com",
             "adobesignsandbox.com",
           )
           // Mimecast link logic
           or (
             .href_url.domain.root_domain in (
               "mimecastprotect.com",
               "mimecast.com"
             )
             and any(.href_url.query_params_decoded['domain'],
                     strings.parse_domain(.).root_domain in (
                       "adobe.com",
                       "adobesign.com",
                       "echosign.com",
                       "adobesignsandbox.com",
                     )
             )
           )
         )
  )
  // accidental recipient
  or any(recipients.to, .email.email == "adobesign@adobesign.com")
  // known Adobe Sign messaage ID formats
  or (
    (length(headers.references) > 1 or length(body.previous_threads) != 0)
    and regex.imatch(headers.references[0],
                     '[0-9]{9,10}\.[0-9]{4,6}\.[0-9]{13}@event-consumer-prod-[a-z]-[a-z0-9]{7,10}-[a-z0-9]{5}',
                     '[0-9]{8,10}\.[0-9]{5,7}\.[0-9]{13}@(webapp|job)-prod-.*$',
                     '[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}-APO-PRODHIPAA@apo-p-h'
    )
  )
  // negate Adobe Sign messages from custom domains
  or any(headers.hops,
         any(.fields, .name in ("Adobesigneventid", "Agreementid"))
  )
)
and not (
  sender.email.domain.root_domain in (
    "adobe.com",
    "adobesign.com",
    "adobesignsandbox.com",
    "echosign.com",
    // ticketing software that embeds emails
    "helpscout.net"
  )
  and headers.auth_summary.dmarc.pass
)
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)