This detection rule identifies fraudulent callback phishing messages that exploit Microsoft's legitimate emailing infrastructure. Specifically, it targets communications originating from 'microsoftonline.com' that bypass typical authentication mechanisms such as SPF and DMARC. The content of the messages generally involves persuasive phrases commonly used in scams, including references to purchases, payments, subscriptions, and support services, often with embedded phone numbers to mislead recipients into contacting scammers. The rule utilizes a combination of natural language processing to analyze the text for known scam intents and specific keywords. By checking for patterns and the presence of phone numbers in the text and subject line, it successfully flags potential phishing attempts before they reach the user. The rule is categorized under callback phishing attacks and incorporates multiple detection methods, including content analysis, natural language understanding, and sender analysis to enhance its accuracy.