This detection rule identifies potential callback phishing attempts that utilize Google Groups as a delivery mechanism. It flags email messages containing fraudulent invoices or receipts if they come from a sender at 'googlegroups.com' and have fewer than five attachments. The rule inspects the file types of the attachments, allowing only images and PDFs. Additionally, it filters out images generated by mobile cameras and screenshots from specific devices through EXIF metadata analysis. The rule employs machine learning classification to analyze the content of the attachments and the body of the emails, looking for high-confidence indicators of callback scam intents. Trust levels of sender domains are also considered, negating highly trusted domains unless they fail DMARC checks, adding an extra layer of scrutiny. If these conditions are met, the rule raises alerts for high-severity phishing attempts, helping to protect against social engineering tactics that exploit commonly used email platforms.