This rule is designed to detect spoofed messages that impersonate Google Classroom notifications and contain WhatsApp contact information. These messages often aim to trick victims into communicating outside of the secured platform, facilitating social engineering attacks. The detection logic focuses on identifying inbound messages from the recognized sender email of Google Classroom, specifically looking for patterns indicative of WhatsApp invitations. The rule utilizes both textual analysis of the message body and optical character recognition (OCR) on any attachments, enhancing its effectiveness against varied formats of spoofing. The detection includes regex patterns tailored for different phone number formats and keywords that signify WhatsApp invitations. The rule also incorporates multiple detection methods, including content analysis and sender verification, to bolster accuracy and reduce false positives.