This detection rule identifies potential abuse in Dropbox notifications that originate from newly registered domains. It specifically targets emails sent from 'no-reply@dropbox.com' that contain a reply-to address which has not been previously active in the organization. The rule employs an Attack Surface Reduction (ASR) technique to inspect email headers for SPF and DMARC authentication, ensuring that the email genuinely comes from Dropbox's infrastructure. Furthermore, if the reply-to email domain is less than 30 days old as per WHOIS data, it raises a flag for possible phishing attempts. The rule aims to mitigate risks associated with Callback Phishing, Credential Phishing, and BEC/Fraud by analyzing the authenticity of the sender and the relative age of the reply-to domain.