This detection rule identifies business email compromise (BEC) incidents where an attacker impersonates an employee by manipulating the subject line to match the display name of an organizational member. The rule specifically searches for instances where the subject of incoming emails contains display names of existing employees within the organization and checks whether the body of the email demonstrates features typical of BEC attacks. Furthermore, it employs a natural language understanding (NLU) classifier to assess the intent behind the email body, focusing on medium or high confidence classifications related to BEC. Importantly, it includes conditions to filter out solicited messages or to detect potentially malicious communications from senders who have a history of sending spam or malware, without marking them as false positives. This robust methodology aims to prevent attackers from bypassing detection mechanisms by closely analyzing variations in email content and sender profiles, thereby enhancing organizational defenses against impersonation and fraud.