Brand Impersonation: Shein

type.inbound
and (
  // display name contains Shein
  (
    (
      regex.icontains(strings.replace_confusables(sender.display_name),
                      '\bsh[ie]{2}n\b'
      )
      and not strings.icontains(sender.display_name, "sheen")
    )
    or (
      length(ml.logo_detect(file.message_screenshot()).brands) == 1
      and all(ml.logo_detect(file.message_screenshot()).brands,
              .name == "Shein" and .confidence == "high"
      )
    )
  )
)
and (
  (
    length(ml.nlu_classifier(body.current_thread.text).topics) > 0
    and all(ml.nlu_classifier(body.current_thread.text).topics,
            .name in (
              "Security and Authentication",
              "Secure Message",
              "Reminders and Notifications",
              "Advertising and Promotions" // fake surveys/giveaways have been observed
            )
            and .confidence in ("medium", "high")
    )
  )
  or (
    length(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics) > 0
    and all(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
            .name in (
              "Security and Authentication",
              "Secure Message",
              "Reminders and Notifications",
              "Advertising and Promotions" // fake surveys/giveaways have been observed
            )
            and .confidence in ("medium", "high")
            and beta.ocr(file.message_screenshot()).text != ""
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence == "high"
  )
)

// and the sender is not in org_domains or from Shein domains and passes auth
and not (
  sender.email.domain.root_domain in $org_domains
  or (
    length(attachments) == 1
    // this is Shein's return label generator
    and all(attachments,
            .file_type == "pdf"
            and strings.icontains(beta.parse_exif(.).creator, "MondialRelay")
    )
  )
  or (
    sender.email.domain.root_domain in (
      "shein.com",
      "shein.com.mx",
      "sheinemail.com",
      "shein.co.uk",
      "sheingroup.com",
      "sheinnotice.com",
      "cash.app",
      "capitaloneshopping.com"
    )
    and (
      headers.auth_summary.dmarc.pass
      // for when DMARC fails, but it's still a legit Shein newsletter
      or (
        length(body.links) > 10
        and ratio(body.links,
                  .href_url.domain.root_domain in (
                    "shein.com",
                    "sheinemail.com",
                    "shein.co.uk",
                    "sheingroup.com",
                    "sheinnotice.com",
                    "cash.app",
                    "capitaloneshopping.com"
                  )
        ) > 0.6
      )
    )
  )
  // parse out original sender domain from Apple Private Relay info
  or (
    sender.email.domain.domain in ("privaterelay.appleid.com", "icloud.com")
    and strings.ilike(sender.email.local_part,
                      '*shein_com*',
                      '*sheinemail_com*'
    )
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or not headers.auth_summary.dmarc.pass
  or not headers.auth_summary.spf.pass
)