This detection rule aims to identify cases of vendor impersonation where a threat actor hijacks an email thread using a domain that closely resembles that of a legitimate sender, often engaged in Business Email Compromise (BEC) activities. The procedure begins by analyzing inbound messages, specifically focusing on replies, to determine if the sender's domain is not recognized as a part of established sender domains. The rule examines previous threads to verify if the current sender has been part of the conversation before, and uses regular expressions to extract email addresses for further domain validation. A key aspect of the rule is its recognition of typosquat domains – domains that are formed by making slight alterations to a legitimate domain name. It uses string distance metrics to identify lookalike domains and applies Natural Language Understanding (NLU) to classify the intent of the email content, ensuring there is a significant confidence level associated with the classification. Additionally, the rule identifies if certain risky categories of financial communication are present and checks the sender's domain prevalence to ascertain whether it is new or previously unknown. Overall, this robust rule employs a multi-faceted approach to detect potential BEC fraud through meticulous analysis of email sender properties, previous thread context, and semantic content evaluation.