The rule identifies callback phishing attempts that exploit Zoho Invoice services to distribute fraudulent invoices. It analyzes inbound emails, focusing on specific characteristics, such as email sender domains that match 'zohoinvoice.com' and ensure SPF or DMARC authentication passes. The rule looks for either the absence of attachments or checks for PDF attachments that contain certain keywords often associated with phishing (e.g., purchase, payment) and phrases indicative of urgency or support. Also, it inspects the body and subject of the email for phone number patterns using regex and counts occurrences of specific brand names, enforcing the presence of at least one recognized brand. This mechanism helps detect more sophisticated phishing attempts that use legitimate services as a facade.