Callback phishing: AOL senders with suspicious HTML template or PDF attachment

type.inbound
// sender is aol
and sender.email.domain.root_domain == "aol.com"

// with no restored/benign messages
and not profile.by_sender_email().any_messages_benign

// there is a single recipient
and length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0

// is not a reply
and headers.in_reply_to is null

// this is another way to limit replies but need to account for 
// a behavior where Yahoo/Aol seems to include it's own message ID as a reference
and length(headers.references) == 1

// all message-id values end in mail.yahoo.com, some benign messages use @aol.com
and strings.iends_with(headers.message_id, '@mail.yahoo.com>')

// All are using the legit Yahoo X-Mailer
// this removes AOL sent from iphones and other non AOL client
and strings.ends_with(headers.mailer, 'AolMailNorrin')

// exclude common recipients which interact with aol addresses that are commonly (but not always) benign 
// recipeint exclusions are suggested for other recipients
and (
  // no attachment
  (
    length(attachments) == 0
    // if there are no attachments focus on the HTML template being observed
    and (

      // yahoo div followed by <br>
      // // verdana, helvetica, sans-serif;
      strings.icontains(body.html.raw,
                        "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
      )
      // // Helvetica Neue, Helvetica, Arial, sans-serif;
      or strings.icontains(body.html.raw,
                           "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
      )
      // yahoo div followed by doctype 
      // // verdana, helvetica, sans-serif;
      or strings.icontains(body.html.raw,
                           "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
      )
      // // Helvetica Neue, Helvetica, Arial, sans-serif;
      or strings.icontains(body.html.raw,
                           "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
      )
    )
  )
  or (
    // if there is an attachment, there can be only one
    length(attachments) == 1
    and all(attachments,
            // it's a PDF, 
            .file_type == "pdf"
            and (
              // static content_id value for the attachments
              (
                .content_id == '<@yahoo.com>'
                or .content_id == '@yahoo.com'
              )
              // created by observed static PDF details
              or (
                  
                  // 
                  // This rule makes use of a beta feature and is subject to change without notice
                  // using the beta feature in custom rules is not suggested until it has been formally released
                  // 

                  beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
                  and beta.parse_exif(.).title is null
                  and beta.parse_exif(.).producer == 'Qt 4.8.7'
              )
            )
    )
  )
)