Impersonation: Australian Federal Police with criminal case language

type.inbound
and (
  strings.ilike(subject.base, '*afp*')
  or strings.ilike(subject.base, '*australian federal police*')
)
and (
  2 of (
    strings.ilike(subject.base, '*case*'),
    strings.ilike(subject.base, '*investigation*'),
    strings.ilike(subject.base, '*law enforcement*'),
    strings.ilike(subject.base, '*management*'),
    strings.ilike(subject.base, '*notice*'),
    strings.ilike(subject.base, '*reference*')
  )
)
and (
  regex.icontains(body.current_thread.text, 'investigation|correspondence')
  and regex.icontains(body.current_thread.text, 'case (?:reference|type)')
)