The 'Corporate Services Impersonation Phishing' rule is designed to detect phishing attempts that impersonate corporate services such as HR, helpdesk, and benefits departments. The rule employs several sophisticated techniques to analyze the content of email messages to identify potential phishing activity. It looks for specific language patterns in the subject lines and sender names that suggest impersonation. The rule checks for the presence of links within the email and evaluates their domains for reputation, considering links from both low-reputation domains and mass-mailing domains as suspicious. The detection framework utilizes regex patterns to identify common phrases associated with phishing, assesses the content using Natural Language Understanding (NLU) to detect specific intents related to credential theft, and further refines its checks by analyzing the email headers for DMARC authentication failures. Additionally, the rule applies filtering to eliminate common false positives, such as legitimate helpdesk platforms and newsletters from trusted sources. This robust combination of content and header analysis, along with sender reputation evaluation, allows for accurate identification of phishing attempts while reducing the occurrence of false positives.