This detection rule targets Business Email Compromise (BEC) attempts characterized by a specific set of attributes commonly used by threat actors. It identifies unsolicited emails where the recipient's email address matches the sender's email address, but there are no other listed recipients in the CC or BCC fields, indicating an unusual sending pattern. Additionally, the rule checks for the presence of a 'reply-to' header that does not match the sender's domain but is instead from a known free email provider, which is often exploited by attackers. The body of the email must not contain any links, further suggesting that the message might be a pretext for fraud rather than an attempt to deliver malware. The conditions also include checks for profiles indicating whether messages from the sender were previously solicited, and it considers previous malicious or spam messages from that sender while ensuring they were not marked as false positives. This combination of factors helps to highlight low-level but potentially threatening BEC attempts, allowing for timely responses by security teams.