The rule detects a specific callback phishing technique that abuses legitimate Apple ID notification emails as a delivery channel. An actor sets the Apple ID display name to a scam lure (for example, a fake charge with a phone number). Apple’s account-change email template embeds that display name in the greeting (Dear [name]), which is then forwarded to multiple targets via distribution groups, effectively bypassing sender reputation because the mail originates from Apple’s infrastructure. The rule focuses on inbound messages originating from appleid@id.apple.com. It extracts the name value from the greeting by locating the email-body HTML segment and applying an NLU classifier on the first line. If the NLU declares a callback_scam intent, it triggers detection. If NLU misses, the rule uses compensating heuristics: (a) a line containing a number and a sequence of uppercase letters (across languages); (b) the common phrase If not you call; (c) the first line ending in a phone number; and (d) activity where a mailto link appears whose local-part starts with apple or whose domain is newly registered (e.g., days_old < 30) and is not in the organization’s domains. The rule also checks that the recipient’s domain is not a trusted org domain to reduce false positives. In short, the rule combines content analysis, NLU classification of the greeting line, and sender/link analysis (Apple’s mailer and mailto domain patterns) to detect this bypass-attack with high severity.