Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old

type.inbound
// reply to domain that's less than 30d old and doesn't match the sender
and (
  (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            network.whois(.email.domain).days_old <= 30
            and .email.email != sender.email.email
    )
  )

  // or the return path or sender domain is less than 30d old 
  or network.whois(headers.return_path.domain).days_old <= 30
  or network.whois(sender.email.domain).days_old <= 30
)

// invoicing with high confidence
and any(ml.nlu_classifier(body.current_thread.text).tags,
        .name == "invoice" and .confidence == "high"
)

// commonly abused brands in body
and (
  strings.ilike(body.current_thread.text,
                "*mcafee*",
                "*norton*",
                "*geek squad*",
                "*paypal*",
                "*ebay*",
                "*symantec*",
                "*best buy*",
                "*lifelock*",
                "*virus*"
  )

  // commonly abused brand logo
  or any(ml.logo_detect(beta.message_screenshot()).brands,
         .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
  )

  // check message screenshot ocr for commonly abused brands
  or any(file.explode(beta.message_screenshot()),
         1 of (
           strings.icontains(.scan.ocr.raw, "geek squad"),
           strings.icontains(.scan.ocr.raw, "lifelock"),
           strings.icontains(.scan.ocr.raw, "best buy"),
           strings.icontains(.scan.ocr.raw, "mcafee"),
           strings.icontains(.scan.ocr.raw, "norton"),
           strings.icontains(.scan.ocr.raw, "ebay"),
           strings.icontains(.scan.ocr.raw, "paypal"),
           strings.icontains(.scan.ocr.raw, "virus"),
         )
  )
)

// phone number regex
and regex.icontains(body.current_thread.text,
                    '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
)
and not profile.by_sender().solicited
and not profile.by_sender().any_false_positives