diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
new file mode 100644
index 00000000000..e45ba323222
--- /dev/null
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -0,0 +1,61 @@
+name: "Callback Phishing NLU body or attachment from first-time sender"
+description: |
+  Detects callback scams by analyzing text within images of receipts or invoices from first time senders.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) < 5
+  and (
+    any(attachments,
+        (.file_type in $file_types_images or .file_type == "pdf")
+        and any(file.explode(.),
+
+                // exclude images taken with mobile cameras and screenshots from android
+                not any(.scan.exiftool.fields,
+                        .key == "Model"
+                        or .key == "Software" and strings.starts_with(.value, "Android")
+                )
+                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name == "callback_scam" and .confidence == "high"
+                )
+        )
+    )
+    or any(ml.nlu_classifier(body.current_thread.text).intents,
+           .name in ("callback_scam")
+           and .confidence == "high"
+           and length(body.current_thread.text) < 1500
+    )
+  )
+  and not (
+    any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
+    and strings.icontains(body.html.raw, "bigcommerce.com")
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and
+  (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"
+testing_pr: 931
+testing_sha: 2931bf7121ac1c3637094921a3432f8b4bb948a1