The detection rule focuses on identifying potential instances of payroll fraud by analyzing email messages that may simulate legitimate employee communications. The rule triggers when an unsolicited email is received, particularly one that attempts to reroute payroll or alter payment details. Key indicators for detection include the sender's display name containing spaces and matching organizational display names, the absence of attachments, a limited number of links in the body, and specific keywords related to payroll in either the email body or subject line. The rule uses threat intelligence to filter out emails from trusted sender domains unless they fail DMARC checks, emphasizing the importance of analyzing email sender profiles for previous malicious activity. Additionally, the detection mechanism relies on regex matching for relevant terms related to payroll, a substantial character limit for email threads, and checks against free email providers. The rule encompasses various attack types such as Business Email Compromise (BEC) and other fraud schemes, employing tactics that involve impersonation and social engineering strategies.