This detection rule targets potential job scams in email communications, specifically looking for the use of certain salary patterns that indicate illegitimacy. The rule leverages a combination of natural language understanding (NLU) and regex pattern matching to identify phrases like '$XXX weekly', where 'XXX' represents a three-digit number. It assesses both the current email thread and any previous correspondence to determine if there is a validation of scam-related intents combined with specific salary mentions. To avoid false positives from legitimate income services, the rule excludes emails from known verification domains (e.g., indeed.com, glassdoor.com) that also pass DMARC checks. The overall threat addressed by this rule falls under Business Email Compromise (BEC) and fraud, making it a crucial part of an organization's email security posture to enhance protection against social engineering techniques used by scammers.