This rule is designed to detect Business Email Compromise (BEC) attacks where the attacker employs reply thread hijacking to solicit mobile numbers from the target. The detection logic evaluates several conditions: it looks for inbound emails where the length of the previous reply threads is fewer than three, no attachments are present, and the body of the previous threads contains phrases related to mobile contact requests. It incorporates a regex condition to identify solicitation patterns for mobile numbers, such as keywords like 'mobile', 'contact', 'whatsapp', or 'personal cell'. Furthermore, the rule inspects the intent classification provided by a Natural Language Understanding (NLU) model, identifying potential BEC or advance-fee fraud intent with high confidence. Low confidence may also trigger alerts if certain keywords are present in short email bodies. Additional checks involve the sender's profile, including whether the sender has a history of malicious messages and if their domain is not deemed as high trust but still fails DMARC checks. Lastly, it determines if the email is a likely reply hijack by assessing the references in email headers. Overall, this rule aims to enhance detection of sophisticated BEC strategies that could bypass conventional rulesets.