This detection rule identifies potentially malicious email activity by analyzing the header information of incoming messages. The primary focus is on emails sent from new senders to invalid recipient domains, especially when a reply-to address does not match the original sender's address. Such email configuration is commonly associated with business email compromise (BEC), credential phishing, and spam tactics. The rule triggers when the recipient list contains only one invalid recipient and the reply-to address originates from a domain distinct from that of the sender. By leveraging sender prevalence checks, the rule aims to reduce false positives attributed to benign recurring senders by applying exclusions for them. This approach enhances threat detection by focusing on newly appearing senders who might be spoofing email addresses or manipulating header information to engage in social engineering attacks.