This detection rule identifies possible brand impersonation attacks targeting DHL, a widely recognized shipping provider. The rule captures various indicators and conditions that suggest an email may be fraudulent, particularly focusing on patterns in the sender's email address, the subject line, and the content of the email. It utilizes multiple string matching techniques to identify phrases related to DHL, such as ‘DHL notification’ and ‘delivery,’ and also checks for urgency indicators using natural language understanding classifiers. The rule carefully analyzes the sender's domain to filter out trusted domains associated with DHL. Additionally, it assesses the presence of suspicious references and the context of the email subject to detect potential phishing attempts. The severity of the threat is classified as low, but the rule combines complex criteria to minimize false positives and ensure higher accuracy in identifying real threats.