This threat detection rule targets fraudulent invoices or receipts exploiting Stripe's invoicing service, specifically in attempts of Callback Phishing. Callback Phishing is a tactic where attackers lure the victim into calling a provided phone number, potentially exposing them to various threats including financial theft, installation of Remote Access Trojans (RAT), or deployment of ransomware. The detection conditions require an inbound message that has two attachments from a sender with a domain of "stripe.com" and validates the message headers for DMARC authentication. The attachments must specifically be PDF files containing certain keywords indicative of phishing attempts, such as references to Bitcoin purchases, suspicious activity, or requests for personal contact. The use of file analysis and header analysis as detection methods enhance the reliability of the rule in characterizing and identifying this type of financial fraud. The rule ultimately aids organizations in mitigating risks associated with financial fraud via forged invoices and enhances overall cybersecurity posture against targeted phishing attacks.