This detection rule identifies fraudulent email messages that utilize a combination of tactics, including imitating legitimate message threads and using untrusted sender addresses with mismatched reply-to domains. The rule checks for various indicators of compromise: it assesses the sender's email credibility by evaluating the prevalence of the sender in historical data, ensuring that no prior solicited conversations exist. It also flags instances where the sender is identified as malicious or spam without false positives. The reply-to address is evaluated to see if it belongs to a recognized free email provider, while ensuring it does not match the sender's address, further suggesting deceit. The rule filters out well-known marketing and mailing list emails to reduce false positives. Lastly, it inspects message thread indicators and ensures that references or in-reply-to properties are absent, which can signify a legitimate response thread. This multifaceted approach allows for the effective identification of Business Email Compromise (BEC) or fraud attempts through social engineering, relying heavily on header and content analysis techniques.