This detection rule identifies potential infrastructural abuse related to Invoicera, a popular SaaS invoicing platform that is misused in spam and phishing campaigns. The rule triggers under several suspicious conditions when emails are sent from the invoicera.com domain. These include: 1) Recipients who are either non-existent or have invalid email domains, suggesting potential spoofing; 2) Presence of suspicious links that point to known free file hosting services or anomalous subdomains which can indicate phishing attempts; and 3) Mismatched 'reply-to' addresses that diverge from the sending address, raising further red flags. This rule aims to safeguard users from emerging threats utilizing Invoicera's infrastructure for malicious purposes.