Multi-actor BEC handoff chain — email references a named or titled third party (recruiter, HR, legal counsel, executive, account manager) handing off to the victim, combined with a finance or credential request (wire transfer, ACH, bank details, DocuSign, gift card, SSO login), suggesting a "social-proof introduction → payment/credential attack" chain

Detects the "multi-actor handoff" Business Email Compromise chain where attackers reference a named or titled third party — recruiter, HR representative, hiring manager, legal counsel, CFO, account manager — who has allegedly introduced or handed off the victim to the attacker's persona. The social-proof introduction ("Your recruiter Sarah has passed your details to our finance team", "I've asked John, our CFO, to reach out", "on behalf of the executive team — please submit your banking details") lowers the victim's guard before the financial or credential request. The signal co-requires: (1) multi-party handoff language (third-party intro, on-behalf-of, cc'ing a department, handing this over) AND (2) finance or credential request (wire transfer, ACH, bank account/routing number, DocuSign, gift card, SSO login link, direct deposit form). Implemented as a single-email text-pattern signal; DB-join enhancement using correspondent_first_seen timestamps is deferred to a future round. Does not fire for bulk mailers (List-Unsubscribe present), real reply threads (In-Reply-To present), or protected sender domains. Source: RT-R8MA-C1B; FBI IC3 BEC advisory 2023-2025; CISA BEC awareness guidance.