This detection rule aims to identify potential brand impersonation attacks targeting the Canadian energy company Enbridge. It utilizes various heuristics to analyze incoming communications, particularly focusing on email metadata and content. The rule has an inbound type, suggesting it monitors incoming emails for signs of deception. Detection criteria include checks against the sender's display name and email domain to see if they contain 'enbridge', and similarly inspections of the email subject line. Furthermore, it looks for specific phrases in the email body, such as 'pay now' or 'view your bill', which are common in phishing attempts. To reduce false positives, the rule stipulates conditions to rule out legitimate responses, checking if there are no references or replies that would indicate a conversation thread. Lastly, it validates the sender's domain to ensure it does not belong to legitimate Enbridge domains or its subsidiaries, further refining its identification process for fraudulent attempts. This rule is classified under medium severity due to the potential impact of business email compromise (BEC) and credential phishing attacks.