This detection rule identifies instances where an email is sent from a free email provider and includes a Reply-To address from a different free email provider. This tactic is often leveraged by attackers in social engineering schemes, such as Business Email Compromise (BEC) and credential phishing, where they aim to deceive the victim into responding to a different email address than the one from which the original message was sent. The rule evaluates multiple conditions: it ensures that the sender's email domain is part of a predefined list of free email providers, checks if the Reply-To header is present, and verifies that the Reply-To email domain differs from the sender's domain. Special exceptions account for particular cases (e.g., interaction with services like secureserver.net and riseup.net) where legitimate uses may exist. By analyzing headers and sender domains, this rule effectively mitigates the risk of being tricked by fraudulent schemes that exploit email communication.