This detection rule is designed to identify instances of display name impersonation that utilize the recipient's second-level domain (SLD) in order to maliciously present the sender as a trusted entity within the organization. The rule evaluates inbound messages based on specific criteria: it checks if the sender's display name contains the SLD of the recipient's email domain, indicating an attempt to impersonate the organization. It considers messages where there are few recipients (to or cc fields) and ensures the SLD is sufficiently lengthy to be valid. Additionally, it looks for the presence of links or attachments in the email body, as these are common indicators in phishing attempts. The rule also negates false positives by excluding specific trusted domains and scenarios involving legitimate representations such as "on behalf of" notations. Overall, it employs header and sender analysis techniques to effectively reduce the chances of overlooking potentially harmful impersonation tactics commonly associated with credential phishing attacks. This rule operates under a medium severity classification, making it essential for organizations to stay vigilant against social engineering forms of attack, particularly those exploiting trust through impersonation.