This detection rule targets instances of brand impersonation specifically aimed at the State Farm insurance company. It examines inbound message data to identify potential phishing attempts through display name spoofing. The mechanism employs a regex pattern to check for variations of the name "State Farm" in the sender's display name while explicitly excluding communications from verified domains that have proper DMARC authentication. The rule ensures that messages originating from domains associated with State Farm, such as statefarm.com, statefarminsurance.com, and others, are not flagged, protecting legitimate communications. It also utilizes a list of highly trusted sender domains, and only considers a message suspicious if it originates from a domain not on this list, unless such a domain fails DMARC authentication. The rule is designed to mitigate the risk of credential phishing attacks and employs analysis methods such as header and sender analysis to validate the legitimacy of inbound messages.