The rule detects brand impersonation attempts targeting users of the crypto hardware wallet Ledger. The detection focuses on identifying emails that falsely appear to come from the official ledger.com domain. It employs various checks on email sender details, such as inspecting the sender's email domain to confirm it matches ledger.com and ensuring that the return path does not belong to known email services or other legitimate Ledger domains. The criteria also involve evaluating discrepancies in DMARC authentication results and checking for similarity in display names against Ledger's brand, including potential lookalike domains or alterations that could mislead recipients. The rule takes into account emails from both free and non-free email providers to raise alerts on any organization that has not interacted with the sender before. Potentially malicious emails are also filtered by excluding known legitimate domains that might use the term 'Ledger.' By leveraging header analysis and sender attributes, the rule aims to mitigate risks associated with phishing attempts that exploit Ledger's brand credibility. This prevention strategy specifically targets the impersonation of Ledger to safeguard users from credential phishing attacks, ensuring they remain aware of potential fraudulent communications.