EML attachment with credential theft language (unknown sender)

type.inbound
// we don't look for links because it could be a QR code
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension =~ "eml")
        and (
          // credential theft language in the attached EML
          any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
              .name == "cred_theft" and .confidence == "high"
          )
          // credential theft language in an attachment in the attached EML
          or any(file.parse_eml(.).attachments,
                 any(ml.nlu_classifier(beta.ocr(.).text).intents,
                     .name == "cred_theft" and .confidence == "high"
                 )
          )
        )
        and not strings.like(file.parse_eml(.).sender.email.local_part,
                             "*postmaster*",
                             "*mailer-daemon*",
                             "*administrator*"
        )
        // some systems attach the bounceback this way
        and not any(file.parse_eml(.).attachments,
                    .content_type in (
                      "message/delivery-status",
                      "message/feedback-report"
                    )
        )
        // negate Microsoft Dynamic Delivery
        and not (
          length(file.parse_eml(.).attachments) == 0
          and strings.icontains(file.parse_eml(.).body.current_thread.text,
                                "Your attachments are currently being scanned by Safe Attachments"
          )
        )
        // Mimecast Protection attached EMLs when replacing attachments
        and not (
          (
            strings.iends_with(.file_name, 'was removed from this message')
            or .file_name == "We found suspicious links"
            or .file_name == 'We sent you safe versions of your files'
          )
          and length(file.parse_eml(.).headers.hops) == 1
          and any(file.parse_eml(.).headers.hops[0].fields,
                  .name == "X-MC-System"
          )
          and any(file.parse_eml(.).headers.hops[0].fields,
                  .name == "Content-Type"
                  and strings.contains(.value, '; boundary="MCBoundary=_')
          )
        )
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
and not any(attachments,
            .content_type in (
              "message/delivery-status",
              "message/feedback-report"
            )
)
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
  not profile.by_sender_email().solicited
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  // sender address listed as a recipient
  or (
    length(recipients.to) == 1
    and sender.email.email in map(recipients.to, .email.email)
  )
)
and not profile.by_sender_email().any_messages_benign
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
  sender.email.email == "analyzer@analyzer.securityeducation.com"
  and any(headers.domains, .root_domain == "pphosted.com")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)