This detection rule identifies potential callback phishing attempts by analyzing receipts or invoices sent from untrusted sources. It specifically focuses on textual content within images and PDF attachments. The rule evaluates if the sender's email fits a criterion of being untrusted, such as being associated with generic domains like 'noreply' unless accompanied by recognized brand logos. Additionally, it employs Natural Language Understanding (NLU) to scan for phishing intent within the attachments and the body of the email. A key feature is the exclusion of certain trusted domains and responses from legitimate senders. The detection method incorporates various analyses: OCR for text extraction from images, semantic classification using machine learning, and sender metadata examination. This multifaceted approach aims to mitigate risks from malicious emails that masquerade as legitimate requests, thus enhancing organizational security against callback scams.