Brand impersonation: Chase Bank

type.inbound
and (
  strings.ilike(sender.display_name,
                '*chase sapphire*',
                '*chase card services*',
                '*united mileageplus*',
                "echase*"
  )
  or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
  or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
  or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
  or (
    strings.ilevenshtein(sender.display_name, 'echase') <= 1
    // Negate Chase sender display name if cred theft, callback phishing, and a Chase logo isn't detected
    and not (
      strings.icontains(sender.display_name, 'chase')
      and not (
        any(ml.nlu_classifier(body.current_thread.text).intents,
            .name == "cred_theft" and .confidence in ("medium", "high")
        )
        or any(ml.nlu_classifier(body.current_thread.text).intents,
               .name == "callback_scam" and .confidence in ("medium", "high")
        )
        or any(ml.logo_detect(beta.message_screenshot()).brands,
               strings.starts_with(.name, "Chase")
        )
      )
    )
  )
  or strings.icontains(body.current_thread.text, 'Chase Privacy Operations')
)
and not (
  sender.display_name is not null and sender.display_name in~ ("chaser", "case")
)
and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com', 'shopping-chase.com', 'chasetravel.com')
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// and not solicited
and not profile.by_sender().solicited