The detection rule targets fraudulent callback scams utilizing Payoneer's invoicing service, where attackers send deceptive invoices or receipts via email. The main purpose of such messages is to trick the recipient into calling a provided phone number, facilitating various attacks including financial theft, Remote Access Trojan (RAT) installation, and ransomware deployment. Key components of the rule involve analyzing inbound messages that originate from the payoneer.com domain and checking for specific patterns in the email body that suggest scam characteristics, such as the inclusion of phone numbers formatted in various ways (e.g., xxx-xxx-xxxx, (xxx) xxx-xxxx). Furthermore, certain phrases commonly associated with phishing attempts, such as requests to contact support or notifications about unusual transactions, are examined to enhance detection accuracy. The rule relies on different methods of detection including sender analysis, header analysis, and content analysis to effectively identify such malicious activities.