This detection rule identifies callback phishing attacks that misuse Intuit's QuickBooks services. The rule looks for fraudulent invoices sent via email from legitimate Intuit infrastructure, ensuring they pass SPF or DMARC authentication. Key indicators of potential phishing attempts include the absence of attachments, specific brand-related terms in the email body, and patterns consistent with callback phishing behavior, such as the inclusion of phone numbers formatted in various ways. Additionally, if there are PDF attachments, the rule checks for specific text patterns within them that typically indicate phishing attempts. If combined indicators such as authorized email domains, suspicious content in the email body, and the presence of certain keywords are detected, the rule flags the message for further investigation.