This detection rule identifies phishing attempts that impersonate Chase Bank in order to collect sensitive information such as personal identification details and credentials. The rule works by analyzing incoming messages for indicators that suggest a fraudulent sender display name, specifically those closely resembling 'Chase Sapphire', 'Chase Card Services', or 'United MileagePlus'. The detection methodology leverages various string comparison techniques like 'ilike' (case-insensitive substring match) and 'ilevenshtein' (distance-based match) to catch minor variations or lookalike names. It also checks if the sender's email domain is from untrusted sources and examines message prevalence status based on historical sender behavior. Additional safeguards are in place to negate trusted domains unless they fail DMARC authentication, ensuring that genuine communications are not flagged as threats. Overall, this rule focuses on preventing potential credential theft while protecting users from sophisticated phishing tactics that utilize brand impersonation and social engineering.