diff --git a/detection-rules/venmo_payment_abuse.yml b/detection-rules/venmo_payment_abuse.yml
new file mode 100644
index 00000000000..28776859f01
--- /dev/null
+++ b/detection-rules/venmo_payment_abuse.yml
@@ -0,0 +1,20 @@
+name: "Venmo Payment Request Abuse"
+description: "A fraudulent payment request found in the body of the message sent by exploiting Venmo's platform. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
+type: "rule"
+severity: "medium"
+source: "type.inbound\nand length(attachments) == 0\nand sender.email.domain.root_domain in (\"venmo.com\")\nand strings.ilike(body.html.display_text, \"*requests $*\")\nand (\n  (\n    // icontains a phone number\n    (\n      regex.icontains(strings.replace_confusables(body.current_thread.text),\n                      '.*\\+?([lo0-9]{1}.)?\\(?[lo0-9]{3}?\\)?.[lo0-9]{3}.?[lo0-9]{4}.*\\n'\n      )\n      or regex.icontains(strings.replace_confusables(body.current_thread.text),\n                         '.*\\+[lo0-9]{1,3}[lo0-9]{10}.*\\n'\n      )\n      or // +12028001238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*[lo0-9]{3}\\.[lo0-9]{3}\\.[lo0-9]{4}.*\\n'\n      )\n      or // 202-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\\n'\n      )\n      or // (202) 800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*\\([lo0-9]{3}\\)\\s[lo0-9]{3}-[lo0-9]{4}.*\\n'\n      )\n      or // (202)-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*\\([lo0-9]{3}\\)-[lo0-9]{3}-[lo0-9]{4}.*\\n'\n      )\n      or ( // 8123456789\n        regex.icontains(strings.replace_confusables(body.current_thread.text),\n                        '.*8[lo0-9]{9}.*\\n'\n        )\n        and regex.icontains(strings.replace_confusables(body.current_thread.text\n                            ),\n                            '\\+[1l]'\n        )\n      )\n    )\n    and (\n      (\n        4 of (\n          strings.ilike(body.html.inner_text, '*you did not*'),\n          strings.ilike(body.html.inner_text, '*is not for*'),\n          strings.ilike(body.html.inner_text, '*done by you*'),\n          regex.icontains(body.html.inner_text, \"didn\\'t ma[kd]e this\"),\n          strings.ilike(body.html.inner_text, '*Fruad Alert*'),\n          strings.ilike(body.html.inner_text, '*Fraud Alert*'),\n          strings.ilike(body.html.inner_text, '*fraudulent*'),\n          strings.ilike(body.html.inner_text, '*using your PayPal*'),\n          strings.ilike(body.html.inner_text, '*subscription*'),\n          strings.ilike(body.html.inner_text, '*antivirus*'),\n          strings.ilike(body.html.inner_text, '*order*'),\n          strings.ilike(body.html.inner_text, '*support*'),\n          strings.ilike(body.html.inner_text, '*sincerely apologize*'),\n          strings.ilike(body.html.inner_text, '*receipt*'),\n          strings.ilike(body.html.inner_text, '*invoice*'),\n          strings.ilike(body.html.inner_text, '*Purchase*'),\n          strings.ilike(body.html.inner_text, '*transaction*'),\n          strings.ilike(body.html.inner_text, '*Market*Value*'),\n          strings.ilike(body.html.inner_text, '*BTC*'),\n          strings.ilike(body.html.inner_text, '*call*'),\n          strings.ilike(body.html.inner_text, '*get in touch with our*'),\n          strings.ilike(body.html.inner_text, '*quickly inform*'),\n          strings.ilike(body.html.inner_text, '*quickly reach *'),\n          strings.ilike(body.html.inner_text, '*detected unusual transactions*'),\n          strings.ilike(body.html.inner_text, '*without your authorization*'),\n          strings.ilike(body.html.inner_text, '*cancel*'),\n          strings.ilike(body.html.inner_text, '*renew*'),\n          strings.ilike(body.html.inner_text, '*refund*'),\n          strings.ilike(body.html.inner_text, '*+1*'),\n          regex.icontains(body.html.inner_text, 'help.{0,3}desk'),\n        )\n      )\n      or regex.icontains(body.current_thread.text,\n                         'note from.{0,50}(?:call|reach|contact|paypal)'\n      )\n      or any(ml.nlu_classifier(body.current_thread.text).intents,\n             .name == \"callback_scam\"\n      )\n      or (\n        // Unicode confusables words obfuscated in note\n        regex.icontains(body.html.inner_text,\n                        '\\+\U0001D7ED|\U0001D5FD\U0001D5EE\U0001D606\U0001D5FA\U0001D5F2\U0001D5FB\U0001D601|\U0001D5DB\U0001D5F2\U0001D5F9\U0001D5FD \U0001D5D7\U0001D5F2\U0001D600\U0001D5F8|\U0001D5FF\U0001D5F2\U0001D5F3\U0001D602\U0001D5FB\U0001D5F1|\U0001D5EE\U0001D5FB\U0001D601\U0001D5F6\U0001D603\U0001D5F6\U0001D5FF\U0001D602\U0001D600|\U0001D5F0\U0001D5EE\U0001D5F9\U0001D5F9|\U0001D5F0\U0001D5EE\U0001D5FB\U0001D5F0\U0001D5F2\U0001D5F9'\n        )\n      )\n      or strings.ilike(body.html.inner_text, '*kindly*')\n    )\n  )\n)\n"
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Impersonation: Brand"
+  - "Evasion"
+detection_methods:
+  - "Natural Language Understanding"
+  - "Content analysis"
+  - "Sender analysis"
+  - "HTML analysis"
+id: "4450639a-04ec-5348-9697-feb7664ca2dd"
+testing_pr: 2238
+testing_sha: afe4cd76f8667e7b3650ac66d4cc3cb539c0ee80