This detection rule focuses on identifying potential brand impersonation attacks specifically targeting Twitter. The rule employs a series of logical checks to discern when inbound messages may be attempts to impersonate Twitter or ‘X’. It checks the sender's display name for exact matches, near matches using Levenshtein distance, and scrutinizes the sender's email domain for signs of impersonation or similarity to known domains associated with Twitter. The rule also includes machine learning components that analyze logos in message screenshots for high-confidence detections of the brand 'X'. It complements this by examining the text body for intents related to credential theft. An additional safety check excludes known legitimate domains from triggering false positives, thus refining accuracy. The overall goal is to prevent unauthorized access and safeguard user credentials against phishing attempts that use Twitter's identity. The rule primarily targets credential phishing, leveraging a combination of impersonation techniques, lookalike domains, and social engineering strategies. To function effectively, it relies on thorough sender analysis and robust detection methods, thus emphasizing the importance of vigilance in preventing brand impersonation in communication.