This rule detects social-engineering fraud messages that reference a remittance payment timeline and contain links with a remittance path. It triggers on inbound messages when the body mentions business days and an account, and at least one link’s href_url.path includes the term remittance. The rule further narrows matches by domain risk signals: if the root_domain is not in a known safe list ($tranco_10k), it will fire; if the domain is in the list, it must also appear in approved platforms or hosting domains (self_service_creation_platform_domains or free_file_hosts) to be considered. The combination of content and URL analysis aims to identify financial fraud schemes that push rapid payment requests via convincing timelines. This is categorized as a medium-severity alert for BEC/Fraud and credential phishing, with a social-engineering focus.