Credential phishing: Onedrive impersonation

type.inbound
// one drive is found in the sender display name or sender local part
and (
  (
    regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
    or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
    or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                                "one?drive"
    ) < 2
    or any(attachments,
           regex.icontains(.file_name, '[0o]ne\s?dr[il1]ve')
           and not any(file.explode(.),
                   any(.scan.exiftool.fields,
                           .key == "Model"
                           or (
                             .key == "Software"
                             and strings.starts_with(.value, "Android")
                           )
                   )
                   // exclude images taken with mobile cameras and screenshots from Apple
                   or any(.scan.exiftool.fields,
                               .key == "DeviceManufacturer"
                               and .value == "Apple Computer Inc."
                   )
           )
    )
  )
  or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*')
  // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
  or (
    regex.icontains(strings.replace_confusables(subject.subject),
                    '[0o]ne\s?dr[il1]ve'
    )
    and (
      any(body.links,
          .href_url.domain.root_domain in $free_subdomain_hosts
          and .href_url.domain.subdomain is not null
          and .href_url.domain.subdomain != "www"
      )
      or regex.contains(subject.subject, '(shared.{0,30}document)')
      or any(body.links,
             regex.icontains(.display_text,
                             "((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
             )
      )
    )
  )
  or (
    any(beta.ml_topic(body.current_thread.text).topics,
        .name == "File Sharing and Cloud Services" and .confidence == "high"
    )
    // more than half of the links with display text contain the keyword "onedrive"
    and ratio(filter(body.links, .display_text is not null),
              regex.icontains(.display_text, '[0o]ne\s?dr[il1]ve')
    ) > 0.5
  )
)

// and body language is med/high confidence cred theft
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence in ("medium", "high")
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence in ("medium", "high")
  )
)
and length(body.links) < 10
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// excludes docusign senders that contain "via" in the display name 
and not (
  any(headers.hops,
      any(.fields,
          .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
      )
  )
  and strings.contains(sender.display_name, "via")
)
and not profile.by_sender().any_messages_benign