This rule detects inbound messages that impersonate automobile associations (AAA, CAA, RAC, etc.) and offer vehicle emergency kits or roadside assistance from untrusted senders. It uses a natural language understanding (NLU) classifier to extract organization names from the message body and flags messages where the detected org matches a set of recognized automotive associations (AAA, RAC, RAA, CAA, BCAA, AMA). It also requires the presence of vehicle/emergency-related terms near a reference to a kit, using a regex that searches for keywords like car, vehicle, motor, driver, emergency, roadside, breakdown, assist, save, discount, complimentary, or free before the word kit within a short text window. The rule excludes messages from high-trust sender domains that pass DMARC, and filters out newsletters and quarantine notifications to reduce false positives. Attack type is Credential Phishing; Tactics include Impersonation: Brand and Social engineering; Detection methods include Content analysis, Natural Language Understanding, Header analysis, and Sender analysis. This rule targets email-based threats involving brand impersonation and fraudulent offers to obtain credentials or sensitive information via convincing communications, particularly related to automobile associations’ emergency kits or services.