This detection rule identifies email messages that impersonate the Social Security Administration (SSA). The rule is designed to flag messages containing specific SSA-related terminology such as 'Secure Message' or 'SSA Statement Viewer' that are sent from non-government email domains, specifically those that do not end in '.gov'. The detection logic checks for unsolicited messages from suspicious senders, particularly if these senders have previously been associated with malicious or spam communications. The rule also verifies the presence of links in the email body as a characteristic of phishing attempts. Important phrases and a legitimate phone number associated with the SSA are included in the detection criteria to enhance accuracy. By leveraging regex and string analysis, this rule aims to mitigate potential business email compromise (BEC) or credential phishing attacks that exploit trust through social engineering with impersonation tactics.