This detection rule identifies potential service abuse executed through newly registered domains by analyzing the reply-to headers of incoming messages. If the sender's email domain is newly registered (less than 30 days old) and there is no record of prior benign messages from that sender, the rule triggers. Such characteristics are indicative of tactics often employed in Business Email Compromise (BEC) schemes, Callback Phishing, and Credential Phishing. The rule also employs multiple analysis methods such as header analysis, sender analysis, and WHOIS lookups to effectively identify suspicious emails that may be leveraging these new domains for malicious purposes. Given its high severity, immediate attention to triggered alerts may be warranted to mitigate risks.