This rule detects inbound messages that impersonate Morgan Stanley and contain indicators of credential theft or callback scams. It validates spoofing attempts by normalizing the sender display name (using confusable mapping and Levenshtein distance), and by examining the message for Morgan Stanley references via NLU to identify org/sender entities. The rule requires Morgan Stanley mentions in the body, and explicitly checks for the secure Morgan Stanley contact (secure.emailhelp@morganstanley.com) or other brand signals. A combination of indicators is used: Client Service Center, Financial Advisor/Portfolio Manager references, Secure Mail, payment or registration cues, and calls to action such as "Click here to view" or "see payment activity". The rule also enforces context signals like credential theft or callback scam intents with high confidence, and ensures the message is not from known legitimate domains without a DMARC pass. It further excludes messages routed through encrypted or hosted gateways (e.g., X-ProofpointSecure, pphosted.com) to reduce false positives. The detection relies on content analysis, natural language understanding, and sender analysis to identify brand impersonation phishing. The rule is categorized under Credential Phishing and uses impersonation and social engineering techniques to flag high-risk messages targeting Morgan Stanley recipients.