This rule detects inbound messages from the MongoDB Atlas alert address (mongodb-atlas-alerts@mongodb.com) that contain callback scam content. It analyzes the thread text of the inbound message using an embedded ML/NLU classifier (ml.nlu_classifier) to identify intents. If the classifier yields an intent named 'callback_scam' with confidence not equal to 'low' (i.e., medium or high), the rule triggers. The detection targets callback phishing attempts that impersonate the MongoDB Atlas brand and employ social engineering to induce a follow-on action from the recipient. Attack types: Callback Phishing. Tactics/Techniques: Impersonation: Brand, Social engineering. Detection methods: Natural Language Understanding, Sender analysis. The rule helps surface potentially malicious follow-ups in communications that appear to come from the MongoDB Atlas alert channel and reduces risk of credential theft or fraudulent follow-on requests. It is intended to complement sender verification with content-based signals to improve early warning of brand-impersonation attempts in alert traffic.