Brand Impersonation: Disney

type.inbound
and (
  // display name contains Disney
  (
    (
      strings.ilike(strings.replace_confusables(sender.display_name),
                    '*disney*'
      )
      and not strings.ilike(strings.replace_confusables(sender.display_name),
                            '*disney springs*'
      )
    )
    // levenshtein distance similar to Disney
    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                            'disney'
    ) <= 1
    or any(ml.logo_detect(file.message_screenshot()).brands,
           .name == "Disney" and .confidence == "high"
    )
  )
)
and (
  (
    any(beta.ml_topic(body.current_thread.text).topics,
        .name in (
          "Security and Authentication",
          "Secure Message",
          "Reminders and Notifications"
        )
        and .confidence in ("medium", "high")
    )
    and not any(beta.ml_topic(body.current_thread.text).topics,
                .name in ("Newsletters and Digests", "Entertainment and Sports")
                and .confidence in ("medium", "high")
    )
  )
  or (
    any(beta.ml_topic(beta.ocr(file.message_screenshot()).text).topics,
        .name in (
          "Security and Authentication",
          "Secure Message",
          "Reminders and Notifications"
        )
        and .confidence in ("medium", "high")
        and beta.ocr(file.message_screenshot()).text != ""
    )
    and not any(beta.ml_topic(beta.ocr(file.message_screenshot()).text).topics,
                .name in ("Newsletters and Digests", "Entertainment and Sports")
                and .confidence in ("medium", "high")
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from Disney domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    // from https://github.com/v2fly/domain-list-community/blob/master/data/disney
    sender.email.domain.root_domain in (
      "disney.asia",
      "disney.be",
      "disney.bg",
      "disney.ca",
      "disney.ch",
      "disney.co.il",
      "disney.co.jp",
      "disney.co.kr",
      "disney.co.th",
      "disney.co.uk",
      "disney.co.za",
      "disney.com",
      "disney.com.au",
      "disney.com.br",
      "disney.com.hk",
      "disney.com.tw",
      "disney.cz",
      "disney.de",
      "disney.dk",
      "disney.es",
      "disney.fi",
      "disney.fr",
      "disney.gr",
      "disney.hu",
      "disney.id",
      "disney.in",
      "disney.io",
      "disney.it",
      "disney.my",
      "disney.nl",
      "disney.no",
      "disney.ph",
      "disney.pl",
      "disney.pt",
      "disney.ro",
      "disney.ru",
      "disney.se",
      "disney.sg",
      "disneysurveys.com",
      "disneyonline.com",
      "disneyaccount.com",
      "disneyadvertising.com",
      "disneydestinations.com",
      "hulu.com",
      "hulumail.com",
      "canarytechnologies.com", // domain used by a disney resort - hotel mgmt software company
      "disneyvacationclub.com",
      "twdc.com"
    )
    and headers.auth_summary.dmarc.pass
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or not headers.auth_summary.dmarc.pass
  or not headers.auth_summary.spf.pass
)