Credential phishing: Email delivery failure impersonation

type.inbound
and length(body.links) < 10
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence == "high"
  )
  or (
    length(body.current_thread.text) < 250
    and any(recipients.to,
            strings.icontains(body.current_thread.text, .email.domain.sld)
            or strings.icontains(body.current_thread.text, .email.local_part)
    )
  )
)
and (
  regex.icontains(subject.subject, '(e)?mail(s)?')
  or (
    length(body.current_thread.text) < 700
    and strings.ilike(body.current_thread.text, '*mail*')
  )
)
and 3 of (
  strings.ilike(body.current_thread.text, "*incoming messages*"),
  strings.ilike(body.current_thread.text, "*server error*"),
  strings.ilike(body.current_thread.text, "*blocked*"),
  strings.ilike(body.current_thread.text, "*prevented*"),
  strings.ilike(body.current_thread.text, "*notification*"),
  strings.ilike(body.current_thread.text, "*fix email issues*"),
  strings.ilike(body.current_thread.text, "*rejected*"),
  strings.ilike(body.current_thread.text, "*recover and prevent*"),
  strings.ilike(body.current_thread.text, "*failure*"),
  strings.ilike(body.current_thread.text, "*rejection*"),
  strings.ilike(body.current_thread.text, "*failed*")
)
and (
  any(body.links,
      regex.icontains(.display_text,
                      "view",
                      "messages",
                      "recover",
                      "fix",
                      "portal",
                      "connect"
      )
      and not .display_text == "View Report"
      and .href_url.domain.root_domain in ("gmass.co")
  )
  or (
    length(body.links) < 3
    and any(body.links,
            any(recipients.to,
                .email.domain.root_domain == ..display_url.domain.root_domain
                and ..mismatched
            )
    )
  )
  or (all(recipients.to, .email.local_part == sender.display_name))
  or any(body.links,
         any(.href_url.rewrite.encoders, . == "proofpoint")
         and .href_url.domain.root_domain not in $tranco_50k
         and .href_url.domain.root_domain not in $org_domains
  )
)
and not any(body.links,
            regex.icontains(.display_text,
                            "view document",
                            "review (&|and) sign document"
            )
)
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "office365.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
  "ppops.net"
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and (
      not headers.auth_summary.dmarc.pass
      // MS  emails from an org domain are router "internally" to MS, therefore, there is no authentication information
      or not (
        headers.auth_summary.dmarc.pass is null
        and all(headers.domains,
                .root_domain in ("outlook.com", "office365.com")
        )
        // typical emails from freemail Outlook accounts are from prod.outlook.com
        and strings.ends_with(headers.message_id, "protection.outlook.com>")
      )
    )
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign