The 'PenPal Scam' detection rule aims to identify potential fraudulent communication attempts where individuals pose as friends or penpals with the intent to exploit trust for illicit gains. The rule specifically looks for messages coming from free email providers, which are often used by scammers due to ease of setup and anonymity. It checks if the email body contains 'penpal', indicating the nature of the communication, and employs natural language understanding (NLU) techniques to identify messages that contain requests or solicitation for money or personal information. The rule also evaluates the sender's profile to determine if they are new or classified as outliers, while assessing their prior message history for malicious or spam content. Additionally, it ensures that messages are not replies and filters out known high-trust sender domains unless they fail DMARC authentication, which may indicate spoofing attempts. By leveraging content, header, and sender analysis methods, this rule effectively identifies social engineering attempts and business email compromise (BEC) schemes associated with penpal scams.