This detection rule identifies possible reconnaissance activities related to business email compromise (BEC) by analyzing email communications that impersonate hotel booking inquiries. It focuses on emails where the reply-to address belongs to a free email provider but is different from the sender’s domain. The rule checks that the email body contains specific keywords related to hotel bookings, while ensuring no links or attachments are present, and that the message is not part of a thread (reply or forward). Key strings include terms like 'hotel', 'booking', 'accommodation', etc., which are indicative of such fraudulent inquiries. The objective is to detect potentially malicious messages that could lead to an attack by validating recipient email addresses without arousing suspicion, thereby facilitating Phishing attempts or future attacks.