Image as content with a link to an open redirect (unsolicited)

type.inbound
and length(body.links) < 3
and 0 < (length(attachments)) < 3
and all(attachments, (.file_type in $file_types_images))
and all(attachments, (.size > 10000))
// image is in body
and strings.icontains(body.html.raw, 'src="cid')
// sender domain matches no body domains
and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
and (
  // body text is very short
  (
    0 <= (length(body.current_thread.text)) < 10
    or body.current_thread.text is null
  )
  or (
    length(body.current_thread.text) < 900
    // or body is most likely all warning banner (text contains the sender and common warning banner language)
    and (
      (
        strings.contains(body.current_thread.text, sender.email.email)
        and strings.contains(body.current_thread.text, 'caution')
      )
      or regex.icontains(body.current_thread.text,
                         "intended recipient's use only|external email|sent from outside|you don't often|confidential"
      )
    )
  )
)
and (
  any(body.links,
      any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
      and .href_url.domain.root_domain not in $high_trust_sender_root_domains
  )
  or any(body.links,
         .href_url.domain.root_domain == 'sng.link'
         and strings.ilike(.href_url.query_params, "*fallback_redirect*")
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not profile.by_sender().prevalence == "common"