This detection rule is designed to identify potentially malicious emails that reference invoices or payments but exhibit suspicious characteristics. It flags emails where attachments are either completely missing or are solely image files. The rule also examines hyperlinks within the email's body, looking for deceptive links that appear as attachments. It uses a combination of keyword matching—specifically invoice and payment-related terms—and checks for certain patterns indicating phishing attempts. Specifically, the rule captures any email with a subject line that suggests financial transactions, including keywords like 'invoice', 'payment', or 'receipt'. Additionally, it searches for links that may mislead users, either by falsely presenting as file attachments or containing ambiguous display text related to payments. Further analysis encompasses body text, detecting phrases indicative of requests, especially those that show signs of credential theft. This makes the rule particularly effective in combating phishing schemes that aim to extract sensitive credentials from users. By leveraging machine learning classifiers and comprehensive text analysis, this rule aims to effectively flag high-risk communications, allowing for prompt response and mitigation measures.