This rule detects inbound messages that purport to originate from IBM IAM's account notification channel and manifest indicators of a callback scam, as identified by a natural language classifier. It triggers when the email sender equals ibmacct@iam.ibm.com and the message body (body.current_thread.text) contains an NLQ intent named 'callback_scam' with a confidence that is not 'low'. By combining sender verification (to establish claimed origin) with content analysis via a machine learning-based NLU classifier, the rule flags potential callback phishing that leverages brand impersonation and social engineering to prompt follow-up actions or disclosure of sensitive information. Detection methods include sender analysis, content analysis, and natural language understanding to assess both provenance and semantic intent. The rule has a medium severity and targets abuse of IAM notification channels arising from identity management services. Consider potential false positives from legitimate IAM communications; potential improvements include additional header checks, link analysis, and cross-correlation with user/session activity to reduce benign matches.