This detection rule identifies potential phishing attempts through brand impersonation, specifically targeting messages that mimic Evite invitations. The rule detects the presence of specific invitation language within inbound messages that do not originate from authentic Evite domains. It establishes a set of conditions to analyze the message body for characteristics typical of Evite communications, such as the usage of 'evitecdn.com' in image sources and assesses the number of legitimate links present in the message. Additionally, it checks to ensure the message isn’t a forwarded or replied thread, which could signify legitimate communication, and confirms that the sender's email is verified against Evite's domain and DMARC authentication. By combining content and sender analysis methods, the rule aims to flag potentially malicious impersonation attempts effectively, thereby preventing credential phishing attacks.