This detection rule is designed to spot potential Business Email Compromise (BEC) attacks by identifying email messages where the sender's display name matches that of recognized VIPs (Very Important Persons) from a designated list ($org_vips). The condition for triggering the rule is that the sender has a new or unrecognized email profile, meaning the email has never been seen before in the organization's historical interactions. To ensure effectiveness, the VIP list must be integrated and synchronized with the user's upstream email provider, such as Google Workspace or Microsoft 365. The rule incorporates additional logic to filter out false positives, for example, by ignoring personal emails, certain email types, and checking for discrepancies in the domain of the sender's email against the organization’s known domains. It also considers email headers and the overall sender profile to determine if the message is solicited or has been flagged as malicious in the past. As this rule primarily aims to reduce the organization's attack surface, it must be applied selectively to a well-defined group of VIPs, thereby enhancing the security of critical communications against impersonation attempts.