Detects inbound email content attempting to impersonate the McAfee brand by inspecting display name, subject, and body for McAfee-related patterns, including McAfee followed by defenses (Defense/Protection) within 0–30 characters, or McAfee references detected via NLU entities with organizational/sender context and multiple urgency signals. The rule excludes messages from verified McAfee domains with valid DMARC, and from other high-trust domains with DMARC pass. It also suppresses matches for newsletters or promotional topics when confidence is not low. Designed to flag credential phishing, BEC/fraud, and callback phishing that leverage McAfee branding.