This detection rule is designed to identify potential brand impersonation attempts related to DoorDash, focusing on both sender attributes and email content characteristics. The rule operates by looking for indicators in the display name and email domain of the sender that align with 'DoorDash', using string comparisons to account for slight variations or misspellings. It then ensures that the sender’s domain does not belong to legitimate DoorDash domains and checks the presence of links in the email body, verifying that they aren't all pointing to known DoorDash domains. Furthermore, the rule analyzes the sender's communication profile to glean insights about previous behavior—specifically checking for unsolicited messages or any history of malicious activity. It also incorporates controls for trusted sender domains, ensuring that if a recognized domain fails DMARC authentication, it does not pass the filter. This multifaceted approach aids in effectively detecting phishing campaigns that pose as DoorDash, enhancing security against credential phishing operations.