This detection rule identifies potentially malicious QuickBooks notifications that utilize newly registered domains for their reply-to addresses. Specifically, the rule matches notifications sent from the legitimate Intuit infrastructure (specifically from quickbooks@notification.intuit.com) while ensuring that the sender successfully passes both SPF and DMARC validations. To further narrow down the false positives, the rule excludes payment confirmation emails and verifies the presence of reply-to addresses. An important condition of this rule is that the reply-to email must have never contacted the organization before (based on internal solicitations and benign classifications). Additionally, it targets newly registered domains that are less than 30 days old to detect possible phishing attempts or scams. The operation of the rule hinges on content analysis, sender validation, and detailed header examinations, making it a robust approach to counter various attack vectors, including callback phishing, credential phishing, and business email compromise (BEC).