This rule is designed to detect potential fake email threads which might lead to Business Email Compromise (BEC) or credential phishing attempts. The detection strategy utilizes multiple indicators in the email subject line, body content, and headers to pinpoint suspicious messages. The rule includes checks for specific patterns commonly associated with fake threads, such as prefixes like 'RE:', 'FWD:', and ‘FW:’. It also inspects email body structures to identify potential fraudulent content such as involuntary or misplaced financial requests, links to suspicious domains, and excessive whitespace which could indicate spam or phishing attempts. Additionally, it negates certain common benign indicators such as bounce-backs and Google Calendar invites to reduce false positives. By analyzing sender behavior and applying rules based on Natural Language Understanding (NLU) classifications, the rule aims to filter out malicious content effectively while ensuring legitimate communications are not disrupted.