This rule identifies incoming email messages that are completely devoid of content, including an empty subject line, body content, and attachments. Such messages are considered suspicious as they can be indicative of reconnaissance efforts, delivery confirmations, or a part of orchestrated multi-stage attack scenarios. The detection logic is based on several criteria: it checks if the email subject is empty or null, ensures that the body content—both plain text and HTML—is also empty or consists solely of whitespace characters, and verifies that there are no attachments included. Furthermore, it only triggers when the sender is identified as 'uncommon', which raises the potential risk level for these empty messages. This makes the rule particularly useful for flagging potentially malicious behavior while maintaining a low severity level due to the low likelihood of false positives in this context.