Detects inbound emails aiming at business email compromise by correlating short-lived sender domains with content signaling financial fraud. The rule uses Whois to determine domain age and flags domains with days_old < 30. It applies an NLU classifier to the message body (body.current_thread.text) to identify an intent named 'bec' and to detect topics like 'Financial Communications' or 'Payment Information' with high confidence. It requires explicit financial cues such as banking details (e.g., account or routing numbers), invoice references, or urgent payment language, detected via regex patterns for banking data or invoice identifiers, or phrases like 'due upon receipt' or 'see attached invoice'. Detection fires when the message either originates from an untrusted domain or fails DMARC on a trusted domain; highly trusted domains are excluded unless DMARC passes. Detection methods include Natural Language Understanding, Whois domain-age checks, content analysis (regex/strings), and header analysis to assess DMARC status. Categorized as BEC/Fraud with tactics involving Social engineering and Spoofing. The rule aims to minimize false positives by requiring strong alignment between domain trust context and financial content signals.