This detection rule identifies potential Business Email Compromise (BEC) attempts from unsolicited senders by analyzing the email body text, sender authentication details, and headers. The rule uses a natural language understanding (NLU) classifier to assess the intent of the message. It flags messages where the sender's email domain does not align with the reply-to address, or where DMARC and SPF authentication checks fail. Additionally, it excludes cases that involve forwarding from trusted domains (like Gmail) to reduce false positives. Messages flagged by the NLU classifier with a high confidence score for 'BEC' are particularly scrutinized, especially if the sender is not previously known or solicited. This approach encompasses social engineering tactics often used in BEC attacks, thus enhancing protective measures against fraud.