This detection rule identifies potential brand impersonation of Blockchain.com typically occurring through credential phishing attempts. The rule assesses inbound emails and evaluates the sender's display name for any mentions of 'blockchain', allowing for slight deviations (levenshtein distance of 1) to capture lookalike domains. It also examines the sender's email domain for any references to 'blockchain.com'. Additionally, the rule checks hyperlink URLs in the body of the email for similarities to 'blockchain', while ensuring the SPF (Sender Policy Framework) authentication fails to confirm the legitimacy of the source. The rule further excludes clearly legitimate domains associated with Blockchain. It aims to counteract social engineering tactics by malicious actors attempting to dupe recipients into divulging credentials.