The detection rule "Spam: Fake photo share" targets potential phishing messages that utilize social engineering and evasion techniques to deceive users into clicking links leading to fraudulent content. These messages typically employ familiar phrases like "found these photos" or "remember these photos?" to entice recipients. Crucial to the rule's effectiveness is the analysis of message structure, subject line, and links. The rule checks if the message body is short, if the current thread is empty, and if it contains specific keywords related to photos and images. The presence of newly registered domains is identified through a WHOIS analysis to flag links from domains that are less than 30 days old or not found, which are often associated with fraudulent activities. Additionally, the rule helps mitigate evasion methods by confirming that the message is not embedded in a reply or forwarded structure, thereby increasing the likelihood that it is a deceptive outreach attempt. Overall, this rule aims to pinpoint spam messages that leverage familiar contexts and new domains to execute social engineering attacks.