Fake email quarantine notification

type.inbound
and length(body.links) < 10
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence == "high"
  )
  or (
    length(body.current_thread.text) < 250
    and any(recipients.to,
            strings.icontains(body.current_thread.text, .email.domain.sld)
            or strings.icontains(body.current_thread.text, .email.local_part)
    )
  )
)
and not (
  length(ml.nlu_classifier(body.current_thread.text).topics) == 1
  and any(ml.nlu_classifier(body.current_thread.text).topics,
          .name == "Financial Communications" and .confidence != "low"
  )
)
and 3 of (
  strings.ilike(body.current_thread.text, "*review*"),
  strings.ilike(body.current_thread.text, "*incoming*"),
  strings.ilike(body.current_thread.text, "*release*"),
  strings.ilike(body.current_thread.text, "*quarantine*"),
  strings.ilike(body.current_thread.text, "*messages*"),
  strings.ilike(body.current_thread.text, "*server error*"),
  strings.ilike(body.current_thread.text, "*blocked*"),
  strings.ilike(body.current_thread.text, "*prevented*"),
  strings.ilike(body.current_thread.text, "*validation*"),
  strings.ilike(body.current_thread.text, "*notification*"),
  strings.ilike(body.current_thread.text, "*kindly*"),
  strings.ilike(body.current_thread.text, "*on hold*"),
  strings.ilike(body.current_thread.text, "*held*"),
  strings.ilike(body.current_thread.text, "*pending*"),
  strings.ilike(body.current_thread.text, "*stuck*"),
  strings.like(body.current_thread.text, "* MX *")
)
and (
  any(body.links,
      regex.icontains(.display_text,
                      "view",
                      "release",
                      "message",
                      "delete",
                      "recover",
                      "SSO",
                      "sign in"
      )
  )
  or (
    length(body.links) < 3
    and any(body.links,
            any(recipients.to,
                .email.domain.root_domain == ..display_url.domain.root_domain
                and ..mismatched
            )
    )
  )
)
and not any(body.links,
            regex.icontains(.display_text,
                            "view document",
                            "review (&|and) sign document"
            )
)
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "office365.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
  "ppops.net"
)

// negate org domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $org_domains
    and (
      not headers.auth_summary.dmarc.pass
      // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
      or not (
        headers.auth_summary.dmarc.pass is null
        and all(headers.domains,
                .root_domain in ("outlook.com", "office365.com")
        )
        // typical emails from freemail Outlook accounts are from prod.outlook.com
        and strings.ends_with(headers.message_id, "protection.outlook.com>")
      )
    )
  )
  or sender.email.domain.root_domain not in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign