This detection rule aims to identify phishing attempts related to bid invitations that are falsely attributed to the USDA (United States Department of Agriculture). The rule operates by analyzing inbound email messages and employs multiple conditions to validate if the content is indeed an impersonation scam. It specifically looks for emails with a single attachment that is either a macro-enabled file or a PDF, each of which are common in delivery of malicious content. The rule further examines the content of the attachments using Optical Character Recognition (OCR) and natural language analysis to check for relevant USDA-related keywords, confirming the presence of terms related to agriculture, and ensuring that the body of the email references bids. By analyzing the sender's email domain for “usda” and conducting comprehensive checks on the attachment's metadata, the rule effectively reduces false positives and enhances the reliability of phishing detection for these kinds of impersonation tactics. The overall approach combines various analysis methods, including content analysis, file inspection, and understanding the intent of the message, making it well-suited for detecting sophisticated business email compromise (BEC) attacks.