This detection rule identifies potential phishing emails that impersonate the popular music streaming service, Spotify. It focuses on how emails purporting to be from Spotify might contain subtle variations or tactics to trick users into believing they are legitimate communications. The rule examines various attributes of the sender's information, specifically looking for display names or email domains that include variations of "spotify". Key checks include ensuring that the domain of the sender is not from the official Spotify domains or trusted domains that have proven to be legitimate, like 'spotify.com' and 'byspotify.com'. Additionally, the rule assesses the sender's profile for any malicious labeling while filtering out false positives. It employs a risk-based approach, taking action if the sender's domain does not match high-trust domains unless they fail DMARC authentication, enhancing the integrity of the detection process. The main threats targeted revolve around credential phishing using impersonation and social engineering tactics, in line with prevalent phishing strategies seen in the wild.