This detection rule targets Business Email Compromise (BEC) attempts characterized by a mismatch between the sender's email address and the Reply-To address. The rule checks for suspicious indicators such as the use of free email providers, which increases the likelihood of fraud. It employs a combination of content analysis of the email body, including recognition of honorifics (e.g., Mr, Mrs, Dr), and natural language understanding to identify intent and requests. Furthermore, it assesses the trustworthiness of the sender's domain, evaluating against a list of high-trust domains and considering authentication failures like DMARC. The rule also analyzes sender profiles to avoid false positives while ensuring that any potential threats are scrutinized, especially if the sender is either new to the communication or an outlier in the dataset. Overall, this rule is designed to mitigate the risk of scams by detecting subtle indicators that point toward fraudulent email communications.