This detection rule focuses on identifying impersonation attempts of Dotloop, a platform used for real estate transactions. The rule evaluates inbound email messages where the sender's display name or email domain contains the term 'dotloop', but explicitly excludes messages from verified legitimate domains such as 'dotloop.com' and 'showingtime.com'. It combines several conditions: it checks the sender's profile for prevalence as 'new' or 'outlier' while ensuring it is unsolicited, or verifies if the sender has previously sent any malicious or spam messages. Additionally, to avoid false positives, it ensures the sender’s profile has no previous false judgments. The rule also includes a mechanism to disregard highly trusted sender domains unless they fail DMARC authentication, which helps in maintaining a high accuracy rate for detection. Overall, this rule aids in mitigating risks associated with credential phishing and brand impersonation through careful analysis of email sender behavior and characteristics.