This rule detects inbound messages that abuse AWS SNS callback notifications to impersonate well-known brands (e.g., McAfee, Norton, PayPal) and solicit callbacks from victims. It targets messages sent from no-reply@sns.amazonaws.com and excludes bounce-trap traffic (e.g., AWS SES bounce paths). The detection uses two complementary approaches: (1) a natural language understanding (NLU) check on the thread text for an intent named “callback_scam” with a confidence not equal to “low”; or (2) a heuristic content match that looks for brand indicators (mcafee, norton, geek squad, paypal, ebay, symantec, best buy, lifeLOCK) and requires at least three of a set of purchase/payment/transaction-related terms (purchase, payment, transaction, subscription, antivirus, order, support, receipt, invoice, call, cancel, renew, refund, host key). If a phone-number pattern is present in the body or subject (validated by multiple regex formats), the rule triggers as a probable callback phishing attempt. The combined condition aims to catch scam messages that rely on brand impersonation, social engineering, and out-of-band contact via phone. Detected campaigns are categorized as Callback Phishing with tactics including Impersonation: Brand, Out of band pivot, and Social engineering. Detection methods include Content analysis, Natural Language Understanding, and Sender analysis. The rule configures a medium severity to reduce the risk of financial theft or malware installation through fraudulent SNS notifications.