This detection rule identifies email communications that exhibit suspicious traits consistent with Business Email Compromise (BEC) schemes. Specifically, it targets cases where the sender's email address does not belong to a free email provider, while the 'reply-to' or 'return-path' headers do. The rule utilizes Natural Language Understanding (NLU) to identify BEC-related intents with medium to high confidence. The logic dictates that the rule is triggered if the reply-to or return-path domains are part of a predefined list of known free email providers, and the sender's domain is not among those providers. Additionally, special exceptions are considered for emails from domains like paypal.com, where failure in DMARC authentication denotes a higher level of scrutiny. The rule also negates benign forwarding scenarios and confirms the absence of common listserv indicators. Overall, this complex combination of header analysis, content inspection, and intent recognition serves to effectively detect potential BEC attempts.