Suspicious newly registered reply-to domain with engaging financial or urgent language

type.inbound
and length(body.current_thread.text) < 5000
and any(headers.reply_to,
        // mismatched reply-to and sender domain
        .email.domain.root_domain != sender.email.domain.root_domain
        // newly registered reply-to domain
        and network.whois(.email.domain).days_old <= 30
)
// request is being made
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)
// there's financial/urgency OR a tag of medium/high confidence
and (
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name in ("financial", "urgency")
  )
  or any(ml.nlu_classifier(body.current_thread.text).tags,
         .name is not null and .confidence in ("medium", "high")
  )
)
and (
  not profile.by_sender().solicited
  
  // 
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  // 
  or not beta.profile.by_reply_to().solicited
  
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)