This detection rule is designed to identify phishing attempts that involve fraudulent invoice communications. The rule specifically targets messages originating from sender or reply-to domains that are less than 30 days old. It incorporates several detection mechanisms, including checks on the age of domain registrations for both sender and reply-to addresses, utilizing WHOIS queries to ensure they do not match each other. The body of the email is analyzed using natural language understanding to identify terms indicative of an invoice with high confidence levels. Furthermore, the rule includes checks for keywords and brand names that are typically associated with phishing scams, looking for these both in the text and in any attached or screenshot images processed through OCR for content analysis. Lastly, the rule applies a regex pattern to identify phone numbers within the text, suggesting additional social engineering tactics often employed in phishing attacks. Overall, this rule utilizes an array of technical detections to thwart attempts at impersonating trusted companies, thereby enhancing email security.