The Proofpoint High Impostor Score Detected rule is designed to alert security teams when a high impostor score (50 or above) is detected in emails, indicating a potential Business Email Compromise (BEC) or impersonation attack. The impostor score, calculated by Proofpoint, assesses the likelihood that an email sender is trying to impersonate a trusted entity. The rule has dynamic severity levels based on the score: CRITICAL (80+), HIGH (65-79), and MEDIUM (50-64). Alerts are generated for emails that could pose a risk to businesses, especially concerning financial fraud. The runbook outlines specific actions, including reviewing sender information for lookalike domains, validating recipient actions on the email, and notifying appropriate teams in case of confirmed BEC. The rule is based on information from Proofpoint's threat reference guide and is currently marked as experimental. Its relevance is underscored by associations with known attack patterns as identified in the MITRE ATT&CK framework, specifically related to phishing activities. The tests included in the rule examine various scenarios, ensuring that alerts are triggered correctly for varying impostor scores while validating that low or boundary threshold scores do not generate unnecessary alerts.