This rule is designed to detect extortion and sextortion attempts by analyzing the body text of emails received from untrusted senders. It employs various techniques including content and header analysis, natural language understanding, and sender analysis to identify key indicators of potential scams. The rule looks for specific phrases and patterns commonly associated with extortion, such as threats, financial requests, and demands for payment in cryptocurrency. It also checks for email authentication results (DMARC and SPF pass) to combat spoofed sender domains, which are common in extortion schemes. The threshold set for detecting potential extortion requires the presence of minimal benign link elements within the email and specific linguistic cues in the email content that suggest malicious intent. For more robust detection, the rule disregards emails that resemble typical newsletters or legitimate communications, especially those containing unsubscribe options. This helps reduce false positives and focuses on potentially harmful messages that warrant further investigation.