This detection rule is designed to identify Business Email Compromise (BEC) or fraud attempts where the attacker solicits a victim to communicate via a free email address. It targets email messages with specific characteristics indicative of fraudulent activity. The rule considers several factors: the body of the email must be short (less than 800 characters), and it should be directed to only one recipient whose email domain does not match the organizational domains. Furthermore, it checks that the link in the email does not match the sender's domain and that the body contains a reference to an email address from a known free email provider. Additionally, the email must be categorized as new, unsolicited, and not previously marked as malicious or a false positive, ensuring it successfully filters out non-threatening communications. The overall goal is to mitigate the risks associated with BEC scams by flagging potentially harmful messages that manipulate recipients into engaging with unverified and potentially malicious external contacts.