This rule focuses on detecting reconnaissance email messages characterized by suspicious recipient handling and a lack of identifiable content that might validate recipient addresses. It targets messages where all recipients are either CC'd or BCC’d, without any attachments or recognizable links, and exhibits an unusually short subject line or generic language. The rule utilizes specific criteria for identifying emails that may precede an attack, such as requiring the sender's domain to not be among commonly trusted domains or failing authentication checks like DMARC. Any email meeting these conditions indicates potential preparatory steps in an attack, warranting further investigation.