This rule detects inbound messages originating from Google Groups that are classified by an NLP model as containing a high-confidence callback scam intent. It matches on inbound messages where the sender domain is groups.google.com and evaluates the message body (body.current_thread.text) with an NLU classifier to identify the callback_scam intent with high confidence. The rule therefore targets abuse of Google Groups to distribute fraudulent callback requests, leveraging sender-domain verification and ML-based content analysis to reduce false positives. It uses Natural Language Understanding and Sender analysis as detection methods, with a medium severity rating. Attack type: Callback Phishing; Tactics and techniques include the use of a free email/group service and social engineering.