This detection rule identifies potential callback phishing scams by analyzing the structure and content of incoming messages. Callback phishing aims to deceive the recipient into contacting an attacker via a telephone number, with the objective of financial theft or malware installation. The rule examines several indicators: the absence of attachments, patterns in the sender’s email address, and targeted keywords or phrases within the email body. It employs regex patterns to recognize common phrases associated with phony invoices/receipts and emphasizes the need for specific triggers such as the presence of phone numbers and transaction-related language, while also acknowledging filters for avoiding false positives. Additionally, the rule incorporates sender domain checks against lists of high and low trust domains, further refining its detection capability.