This rule detects inbound emails arriving from no-reply@amazon.com with the subject 'Your invitation has been sent' and analyzes the HTML body for phone numbers embedded in header elements. It uses an HTML XPath check to locate header nodes (//h2[contains(@class, 'rio-header')]) and applies two phone-number regex patterns against the normalized display text (strings.replace_confusables(.display_text)) to catch obfuscated digits. If a match is found, the rule flags the message as Callback Phishing, aligning with social-engineering tactics designed to lure recipients into calling fraudulent customer-service lines. Detection methods include Content analysis, HTML analysis, and Sender analysis; the broader techniques are Out of band pivot and Social engineering. The rule is intended to mitigate invitation-based phishing campaigns that rely on phone-based callbacks. Potential false positives include legitimate invitation emails that contain numbers or header usage; verification through official channels is recommended. Remediation guidance includes alerting, quarantining or blocking such messages, and user education to verify numbers via trusted Amazon contact channels.