This detection rule targets phishing attempts characterized as Callback Phishing, specifically those utilizing the SignFree e-signature platform. The detection mechanism checks the legitimacy of messages originating from the SignFree domain '(signfree.io)' and ensures that they pass SPF or DMARC authentication checks. The rule requires that the message body contains at least one recognized brand name (e.g., PayPal, Norton, GeekSquad) along with three specific terms commonly found in phishing communications, and must additionally include a phone number formatted in various potential styles. The use of regex patterns assists in identifying both malicious content and potential callbacks to illegitimate support channels. This rule balances sensitivity and specificity to minimize false positives by ruling out messages that might reference similar keywords with benign intent, such as subscription management.