This rule detects callback scam messages delivered through Microsoft Power Apps by impersonating well‑known brands (e.g., McAfee, Norton, Geek Squad, PayPal) and steering victims toward contact via phone. It applies to inbound messages and requires the sender to be powerapps-noreply@microsoft.com. Detection uses a multi‑path approach: (1) NLP/NLU intent analysis on the message body; if any intent named "callback_scam" is present with a confidence not labeled as low, the rule triggers. (2) Regex matching for brand impersonation within the message body (e.g., mcafee, norton, geeksquad, paypal, ebay, symantec, best buy, lifelock with obfuscated spellings). (3) A corroborating content cue check requiring at least three of a set of transaction/financial terms (purchase, payment, transaction, subscription, antivirus, order, support, receipt, invoice, call, cancel, renew, refund, host key). (4) Phone number detection using two regex patterns applied to the body or subject to identify call‑to‑action numbers. The rule incorporates sender analysis and content evaluation to differentiate legitimate Power Apps communications from social engineering attempts. When matched, the rule is categorized as Callback Phishing and associates with tactics such as Impersonation of Brand, Out of Band Pivot, and Social Engineering. Detection methods include Content Analysis, Natural Language Understanding, and Sender Analysis to assess both linguistic signals and sender integrity.