This inbound email rule flags BEC/fraud attempts that use templated cold outreach asserting investment opportunities. It detects messages whose subject begins with 'investment into' and whose sender domain TLD is in a provided list of suspicious TLDs ($suspicious_tlds). The campaigns impersonate family offices or private equity firms and commonly employ disposable domains with DGA-like characteristics to evade reputation checks. Detection relies on header analysis (From/Subject), sender-domain evaluation (TLD against the suspicious list), and content cues related to investment solicitations. The rule emphasizes multi-signal analysis to reduce false positives and is rated medium severity to reflect potential financial impact. Mitigation actions may include flagging or quarantining the message, reviewing the associated disposable domains, and updating the suspicious TLD list. Domain indicators are tied to inbound network traffic (email) and associated domain-name signals for correlation with other indicators of compromise to enable rapid takedown or blocking.