This detection rule focuses on identifying emails purportedly sent from iOS or iPadOS devices that contain invalid or malformed build numbers. The detection mechanism relies on analyzing the email headers, specifically looking for the presence of 'iPad Mail' or 'iPhone Mail' within the 'mailer' header field. If the header meets this condition but fails to include a valid build number format (not matching the regex for 'iPad|iPhone Mail \([0-9]{2}'), this indicates a potential threat, often associated with Business Email Compromise (BEC), fraud, or phishing attempts targeting credentials. The rule addresses evasion tactics used by attackers, who may manipulate mailer identifiers to appear legitimate while hiding the fact that their build numbers are invalid, thereby avoiding detection. By using header analysis as the method of detection, this rule aims to improve the security posture by flagging suspicious emails before they can execute malicious payloads or deceive recipients.