This rule detects potential cases of brand impersonation targeting MetaMask users through inbound messages. The primary goal is to identify messages that claim to be from MetaMask but are actually sent from untrusted sources. It achieves this by analyzing input message data for multiple factors: it checks if the display name of the sender contains variations or similar strings to 'metamask', evaluates the contents of the message for suspicious language or logos associated with the MetaMask brand, and ensures that the sender’s domain is not one of the legitimate MetaMask domains. Moreover, the rule employs advanced techniques such as logo detection and natural language understanding to identify potential credentials theft patterns. The rule also features a filter to bypass trusted senders who have passed DMARC authentication, thereby reducing false positives.