This detection rule identifies potential reconnaissance activity conducted via email by analyzing incoming messages for generic greetings and short content. It specifically looks for messages that contain very brief greetings such as 'Hi', 'Hello', or 'Hey', typically sent from external free email providers, which may be an initial step in preparing for larger attacks like Business Email Compromise (BEC) or Phishing. The rule checks the length of the email body and subject, ensuring both are concise and contain no attachments or links. Moreover, it incorporates sender profile validation based on authentication headers (DMARC and SPF) to mitigate false positives, ensuring the rule captures legitimate reconnaissance attempts while reducing the noise from benign messages. This rule is crucial for an organization’s attack surface reduction strategy, providing early detection of possible phishing attempts that may leverage validated email addresses for future malicious campaigns.