This detection rule identifies potential callback phishing attacks executed via extensionless rfc822 email attachments that contain images. The rule analyzes inbound messages for attachments characterized by an unknown file type and a content type indicating rfc822 format. It further inspects the contents of the attachments using Optical Character Recognition (OCR) to detect common callback phishing identifiers within the text, such as keywords related to purchases, subscriptions, invoices, and other financial transactions. A minimum of four occurrences of these keywords is required for the rule to trigger. Additionally, the rule checks for specific brand names which are commonly associated with callback phishing, leveraging Natural Language Understanding (NLU) for contextual analysis. The sender's profile is also evaluated to exclude trusted domains unless they fail DMARC authentication, helping to minimize false positives. Overall, the rule incorporates multiple detection methods and focuses on social engineering practices that exploit users’ trust in recognizable brands to facilitate phishing attacks.