This rule detects inbound messages whose sender local-part contains an IPv4 dotted-quad address, a pattern commonly used in malicious campaigns to bypass filters or appear legitimate. It applies a case-insensitive substring match against two IPv4-containing patterns on the sender’s local-part (e.g., 192.168.0.1–style forms) to cover different local-part constructions. The trigger requires the inbound thread text to be longer than 100 characters, reducing noise from short messages. To minimize false positives, the rule excludes any local-part containing report or abuse keywords and ignores messages whose NLP-based topics include Bounce Back and Delivery Failure Notifications with non-low confidence. The rule is categorized under Attack Surface Reduction, and its detections fall under Spam, Credential Phishing, and BEC/Fraud with tactics of Evasion and Spoofing, using Sender analysis as the detection method. It is designed for processing inbound email content (e.g., at an email gateway or endpoint where sender fields and message bodies are available). Potential limitations include the IPv4 pattern not enforcing valid IP ranges (0–255) and possible false positives for legitimate addresses that resemble IP-like local-parts; IPv6 or more obfuscated forms are not addressed. False negatives may occur if IPs are embedded differently or if the message content is truncated below 100 chars.