This detection rule is designed to identify potential Callback Phishing attempts masquerading as legitimate messages from Signable's e-signature service. It inspects inbound messages with specific attributes and evaluates their content against defined criteria. The main protections include ensuring the sender's domain is from 'signable.app', and that SPF or DMARC authentication passes. The rule examines the message body for key Callback Phishing indicators such as certain brand names (e.g., PayPal, Norton, eBay) and a set of associated terms like 'payment', 'transaction', and 'support' that should be present at least three times. Moreover, it checks for the presence of a phone number. The length of the message body is limited to minimize false positives, and careful attention is paid to the detection of attachments to ensure they are absent to fit the Callback Phishing context. Overall, this rule provides robust coverage against impersonation attacks that exploit legitimate brand identifiers to extract sensitive information from users.