This rule is designed to identify potential phishing or business email compromise (BEC) attempts in inbound emails that contain links and a reply-to address. The detection focuses on either the sender or reply-to domain being newly registered (less than or equal to 30 days old) and requiring that at least one domain linked in the emails is also very new (less than or equal to 14 days old). This method leverages the commonly observed tactic of using new infrastructure to evade detection mechanisms and to impersonate legitimate contacts through reply-to mismatches. The criteria for triggering the detection rule include the presence of links in the email body and the presence of a reply-to header, along with the timing of domain registrations established through WHOIS queries. By combining header and URL analysis with WHOIS data, this rule aims to flag communications that could pose a risk of fraud, credential theft, or malware dissemination.