You can make it work with the following three rules in the Issuance Authorization Rules:
Rule one allowing everyone:
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
All rules are processed so it's not an issue to have this one. Then extract the title attribute:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("temp:/title"), query = ";title;{0}", param = c.Value);
Then you deny the contractors:
c:[Type == "temp:/title", Value == "Contractor"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");