Link: Self-sender with sender org in subject and credential theft indicator

type.inbound
// self sender behavior
and length(recipients.to) == 1
and length(recipients.cc) == 0
and sender.email.email == recipients.to[0].email.email

// not self sender from the org_domain, this rule is not going to detect spoofed domains to limit FPs caused by various email auth issues.
and not sender.email.domain.domain in $org_domains

and profile.by_sender_email().prevalence == "new"

// org name in the subject, removing the subject from NLU to prevent the org being extracted from the subject
and any(filter(ml.nlu_classifier(body.current_thread.text, subject="").entities,
               .name == "org"
               and .text != sender.email.domain.sld
               and .text != sender.email.domain.domain
        ),
        // not an icontains, make it an exact match
        strings.contains(subject.base, .text)
)
// must contain a link
and 0 < length(body.current_thread.links) < 20

// cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
)
// all attachments are inline images or there are 0 attachments
and (
  length(attachments) == 0
  // there are only image attachments and all image attachments are served inline
  or (
    length(attachments) > 0
    and (
      all(attachments,
          .file_type in $file_types_images
          // all images are embedded in the html
          and strings.icontains(body.html.raw,
                                strings.concat('src="cid:', .content_id)
          )
      )
    )
  )
)