This rule flags inbound messages sent from GitHub's noreply address that exhibit callback scam indicators, brand impersonation tactics, or content related to purchases/payments with contact phone numbers. It leverages multiple detectors: a) ML-based intent classification on the thread text to identify callback_scam with non-low confidence; b) regex-based brand impersonation cues targeting well-known security and consumer brands (e.g., McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, LifeLock); c) a 3-of- N condition across purchase-related keywords (purchase, payment, transaction, subscription, antivirus, order, support, receipt, invoice, call, cancel, renew, refund, host key); d) a phone-number pattern applied to both body text and subject; and e) an overall sender check (GitHub noreply) and absence of attachments. When triggered, the rule classifies the attack type as Callback Phishing and maps to tactics such as Brand Impersonation, Out-of-Band Pivot, and Social Engineering, using content analysis, NLP/NLU, and sender analysis to detect and triage these scams.