This detection rule focuses on identifying business email compromise (BEC) and fraud attempts by analyzing inbound email messages for specific linguistic patterns and sender characteristics indicative of social manipulation. It utilizes multiple criteria to classify messages as suspicious, including the presence of urgent language in subject lines, condensed or informal content within the message body, and specific sender attributes that often correlate with malicious intent. The rule combines factors such as urgent subject lines (e.g., requests for immediate assistance), typical BEC body phrases (e.g., apologies, requests for time), and low message length (short text). It also checks whether the sender is associated with free email domains, is relatively new (less than 30 days old), and evaluates recipient patterns like undisclosed recipients or single recipients. Additionally, the rule examines email header analyses for anomalies, such as non-standard origins, unusual reply-to addresses, or similarities between the subject line and sender display names. The detection logic ensures that these indicators are combined to reduce false positives and improve accuracy by excluding common senders from the evaluation.