This detection rule is designed to identify potential brand impersonation attempts specifically targeting Greenvelope. It utilizes a combination of content analysis and sender validation techniques to analyze incoming messages for signs that they may be fraudulent invitations masquerading as legitimate Greenvelope communications. The rule checks for specific phrasing commonly associated with Greenvelope, particularly within the HTML text of the message body to identify real Greenvelope invitations. It looks for key phrases, such as 'Powered by Greenvelope' and 'alt="Greenvelope"'. Additionally, the rule inspects links within the message to ensure none lead to the legitimate Greenvelope card or user links. The sender's email domain is scrutinized to disqualify messages that appear to come from known non-associated domains, unless they pass SPF authentication. To further refine the detection process, the rule avoids messages that are forwarded or replied to, as these are often less indicative of an impersonation attempt. Finally, it includes a limitation on the current thread's text length to reduce false positives in identification.