The "Callback Phishing via Calendar Invite" rule is designed to detect phishing attempts through calendar invites. Specifically, it analyzes the DESCRIPTION field of incoming calendar invites for language indicating callback phishing scams. The detection mechanism involves several key criteria: it identifies invitations based on their content type (specifically, 'text/calendar' or 'application/ics') and ensures that there are attachments present. By utilizing regex, it extracts and analyzes the DESCRIPTION from the invite, apply natural language understanding (NLU) to classify detection intents, particularly targeting those marked with 'callback_scam'. The rule avoids false positives by considering the sender's profile, ensuring that the sender's past messages have not been benign, and also checks if the sender’s domain fails DMARC authentication unless it belongs to a predetermined list of highly trusted domains. This multi-faceted approach enhances detection accuracy for potential callback phishing attempts.