Detects suspicious reply-chain manipulation in inbound email that uses urgent language to pressure action and self-reply tactics to appear legitimate. The rule requires: an inbound message that is a reply to a thread, no attachments, a very short current-thread body (<25 characters), exactly one previous thread in the conversation, and at least one recipient outside the sender’s domain. It flags when the sender’s display name contains urgent/authoritative keywords or the local part of the sender’s email includes terms like task, ceo, or executive. It also checks for evidence the sender is replying to themselves by finding the sender’s email in prior thread content (preamble). The combination of cross-domain recipients, brief current context, and self-reply indicators is consistent with BEC/fraud attempts attempting to induce urgency and trust in a narrow, manipulated thread view. This rule is designed to surface social-engineering and evasion tactics typical of reply-chain fraud, where attackers rely on urgency and limited content to bypass routine verification. It should be used alongside broader email authentication signals (SPF/DKIM/DMARC) and user education, and fine-tuned to minimize false positives in legitimate urgent communications or cross-organization collaborations. Operational notes: validate matched events with downstream checks (e.g., sender identity verification, out-of-band confirmation). Consider maintaining allowlists for trusted executives and known partners, and monitor for pattern drift (e.g., longer thread bodies or more than one prior thread) that may indicate evolving attacker techniques.