Brand impersonation: USPS

type.inbound
and (
  any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS")
  or strings.icontains(sender.display_name, "USPS")
)
and length(body.links) > 0
and 2 of (
  any(body.links,
      strings.ilike(.display_text,
                    "*check now*",
                    "*track*",
                    "*package*",
                    '*view your order*'
      )
  ),
  strings.ilike(body.current_thread.text,
                "*returned*to*sender*",
                "*redelivery*",
                '*USPS promotions*'
  ),
  // impersonal greeting
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "recipient" and .text =~ "Customer"
  ),
  // no links go to usps.com
  all(body.links, .href_url.domain.root_domain != "usps.com")
)
and (
  sender.email.domain.root_domain not in (
    "usps.com",
    "opinions-inmoment.com", // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
    "shipup.co", // third party shipping company
    "withings.com" // third party shipping company
  )
  or (
    sender.email.domain.root_domain in (
      "usps.com",
      "opinions-inmoment.com" // https://faq.usps.com/s/article/USPS-Customer-Experience-Surveys
    )
    and not headers.auth_summary.dmarc.pass
  )
)
// negate newsletters 
and not (
  length(body.links) > 20
  or any(ml.nlu_classifier(body.html.display_text).topics,
         .name == "Newsletters and Digests"
  )
)
// negate legit forwards and replies
and not (
  (subject.is_reply or subject.is_forward)
  and length(body.previous_threads) > 0
  and (length(headers.references) > 0 or headers.in_reply_to is not null)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)