This rule detects inbound messages that contain a PayApp transaction reference in a PayApp#<digits> format within the message body. It uses a case-insensitive regex to locate PayApp#\d+ in body.current_thread.text and requires a plausible email-like pattern (local-part@domain) to be present in the content, indicating an email message context. It also checks that the subject line includes the term payapp (case-insensitive). The combination targets potential Business Email Compromise (BEC) or callback phishing attempts that use PayApp branding and a transaction reference to appear legitimate. Detection is based on content analysis, triggering when all conditions are met to surface suspicious PayApp-related references in inbound communications. Attack types associated include Callback Phishing and BEC/Fraud, with tactics centered on impersonation and social engineering. The rule is labeled with medium severity to reflect elevated risk but not an automatic block, suitable for alerting and correlation within a broader threat-hunting workflow.