Detects organized investor-solicitation messages aimed at a recipient organization by tying the solicitation to the recipient’s domain and organization name, and by verifying social-engineering cues commonly used in BEC campaigns. The rule analyzes inbound email content to identify targeted outreach, leveraging subject cues, body language, and header anomalies. Key logic includes: (1) recipient-domain alignment in subject: if any recipient’s local domain matches the recipient’s organization suffix and passes a minimal domain length check, the rule proceeds; (2) organization-name extraction from the body (using a named group org) with a check that the extracted name appears in the recipient’s domain, indicating org-targeting; (3) spoofing indicator via a mismatch between the reply-to domain root and the sender’s domain; (4) greeting validation where the body contains a salutation like “Dear <recipient local-part>” or a recognized first-name derived from the local-part; and (5) language cues typical of investment solicitations. The solicitation language requires at least two from a curated list of investment/finance phrases (e.g., “alternative investments,” “raising capital,” “fundraising,” “investment opportunities,” etc.). As an alternative detection path, the rule accepts a machine-learning signal: if the mail content’s topics include Financial Communications, Out of Band Pivot, and B2B Cold Outreach, then the same two-of-numeric-language condition is considered satisfied. Attacker goals are characteristic of BEC and fraud via social engineering, with detection performed via content analysis. The rule is labeled with attack_types BEC/Fraud and tactics/techniques Social engineering and uses a content-analysis detection method. The rule’s metadata also ties to the file path and unique identifier for traceability.