This rule detects callback phishing attempts through text-based file attachments. The detection logic looks for emails that have a large recipient list (more than 10 recipients), with email addresses not associated with known organizational domains or previously recognized recipients. It applies filters for subject length (≤ 10 characters) and checks if the body of the email contains links. It ensures that all links either point to known domains (such as aka.ms) or are scrutinized if they are not linked at all. The presence of attachments, specifically text/plain files or common document types (doc/docx), is monitored, along with the file contents for specific keywords that may signify phishing. The rule will also verify the sender's reputation by excluding commonly trusted sender domains unless they fail DMARC authentication. Overall, these checks aim to identify suspicious emails that exhibit characteristics aligned with phishing attempts while balancing the need to minimize false positives.