This rule detects potentially malicious emails that mimic legitimate scan-to-email notifications. It targets messages that appear to originate from a scanning device or service yet lack attachments, a common characteristic of phishing attempts. The rule inspects various elements such as the subject line, links within the email body, and the sender's domain. Notably, it identifies emails that reference scanning elements (e.g., 'scan date') and checks that links do not lead to recognized or trusted domains, denoting a potential phishing vector. The analysis incorporates sender behavior, looking for any history of malicious items or unsolicited messages, thereby aiming to reduce false positives. This method leverages content analysis, optical character recognition, and domain verification to uncover deceitful email communications.