This inbound email/BEC detection rule flags messages that contain links to newly registered domains (domains with days_old < 60) and invoice/payment–themed language designed to prompt user action. It requires 0 < length(body.current_thread.links) < 15 and validates each link by resolving the domain age (via whois) and checking that the link display text includes action verbs such as view, click, download, check, or validate. The subject line must contain invoice/purchase-related terms (e.g., invoice, payment, wire, agreement). The body text is scanned for payment/invoice terminology (e.g., wire, ACH, urgent, confirm, document). The rule applies ML/NLU to detect credential theft or BEC intents (intents named cred_theft or bec with non-low confidence) or relevant tags (invoice, payment). It explicitly filters out benign messages and excludes highly trusted sender domains when DMARC authentication passes. This combination of header, sender, and URL analysis plus NLP signals targets social-engineering–driven BEC with malicious links while reducing false positives from trusted senders.