This detection rule identifies callback scam messages that exploit the TimeTrade infrastructure to impersonate reputable brands such as McAfee, Norton, and others. The rule looks for emails that originate from the legitimate TimeTrade domain and contain specific patterns indicative of phishing tactics. These patterns include keywords associated with financial transactions, customer support, or subscriptions, such as 'purchase', 'payment', 'invoice', and variations of well-known brand names. The rule leverages regex patterns to detect phone numbers within the message content, which often lead to fraudulent support calls. By performing content, sender, and header analysis, the rule aims to catch messages before they reach potential victims, thereby mitigating the risk of financial fraud and tech support scams.