This rule aims to detect potentially fraudulent order confirmations or shipping notifications that originate from suspicious sender domains based in China. Users may have genuinely placed an order; however, the associated e-commerce stores are typically fraudulent, raising significant risks of undelivered products and the potential loss of funds. The detection mechanism incorporates several checks: verifying that the email is addressed to a single recipient, that there are no previous email threads, and analyzing the sender's address, particularly focusing on patterns typical of fraudulent communications (e.g., support as a local part). The rule also checks the DNS WHOIS data to verify if the sender's domain utilizes Alibaba Cloud's nameservers (specifically hichina.com). Furthermore, it leverages Natural Language Understanding to identify key topics within the email body, flagging those related to shipping and order confirmations. A proactive recommendation is made to deploy a custom warning banner for users, advising them to verify transactions with their banking institutions in case of fraudulent activity.