This detection rule identifies potential impersonation attacks originating from Facebook's email domains. It targets inbound messages that feature the phrase 'action required' in their subject line, a common tactic in phishing scams to create urgency and manipulate recipients into taking immediate action. The rule filters emails where the sender's domain is either 'facebook.com' or 'facebookmail.com' and checks for specific phrases in the subject and body of the email that are often used in such attacks, such as invitations to join services or mention of Meta's affiliations. It also utilizes additional contextual checks including the age of any links found in the email, the presence of known phrases associated with corporate addresses, and employs machine learning to analyze links for credibility theft intent. By combining these methods, the rule aims to improve the detection of such phishing attempts effectively at a medium severity level.