This detection rule aims to identify callback phishing attempts perpetrated through emails that appear to originate from the legitimate Xodo Sign infrastructure. The key requirements for triggering this rule include the presence of at least one recognized brand name, three specific phishing-related terms, and a phone number in the email body. The detection process involves several steps: it validates the sender's domain against known legitimate domains and checks authentication headers (SPF/DKIM). The body of the email is scrutinized for key phrases and regex patterns indicating phishing, and the length of the message is restricted to enhance accuracy. Additionally, it evaluates any accompanying images using Optical Character Recognition (OCR) to detect similar phishing indicators. These methods combine content analysis, header scrutiny, sender evaluation, and computer vision to minimize false positives while effectively identifying potential phishing attempts.