Commonly abused sender TLD with engaging language

type.inbound

// we don't do a suspicious link check here
// because we are seeing abuse of mass marketing tools
// like campaign[.]adobe[.]com
// once we roll out better support for unfurling those,
// we can update this logic
and length(body.links) > 0

// commonly abused sender TLD
and strings.ilike(sender.email.domain.tld, "*.jp")
and 3 of (
  // language attempting to engage
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),

  // financial request
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial"),

  // urgency request
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),

  // known suspicious pattern in the URL path
  any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),

  // suspicious image that's most likely cred_theft
  any(attachments,
      .file_type in $file_types_images
      and any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
              or any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "financial")
      )
  ),

  // recipient's SLD is in the sender's display name
  any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld) and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))),

  // recipient's email address in the subject
  any(recipients.to, strings.icontains(subject.subject, .email.email) and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))),
)

and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

  // negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)