This rule is designed to detect brand impersonation attempts, specifically targeting impersonation of Amazon via fake shipping notifications. It identifies suspicious emails through a combination of header and sender analysis techniques. The rule looks for specific patterns in the sender's display name and email address that suggest an impersonation attempt, such as slight misspellings or similar names related to Amazon (e.g., ‘amazon.com’, ‘amazon pay’, etc.). It also checks if the sender's domain is not from a known legitimate Amazon domain, and confirms whether those emails pass DMARC authentication. The rule incorporates multiple logical conditions to minimize false positives, particularly excluding trusted domains unless they fail authentication. This makes it an effective measure for preventing phishing attacks under the brand name of Amazon, which is a commonly targeted entity.