This detection rule identifies suspicious email messages where the 'Reply-to' domain is newly registered and differs from the original sender's domain, indicating potential vendor impersonation schemes. The rule leverages several data points: it checks if the email body contains a request and examines its context for financial or urgent language. Furthermore, the rule incorporates machine learning techniques to assess the text of the message for specific entities and tags, focusing on medium to high confidence scores. A key factor is that it only triggers for messages from untrusted senders or when the sender has previously been linked to malicious activity, disregarding messages from highly trusted domains unless they fail DMARC authentication. The detection method relies on content analysis, header examination, natural language processing, and WHOIS data to enforce these criteria. Overall, it aims to flag potentially harmful communications that could be part of Business Email Compromise (BEC) or fraud attacks.