This detection rule identifies potential instances of brand impersonation specifically targeting Gusto, a known payroll management platform. The rule utilizes a combination of string matching techniques, Levenshtein distance calculations, and machine learning to determine whether an incoming email poses as coming from Gusto. It checks the display name of the sender for similarities to 'Gusto', including minor typos, and verifies the domain of the sender's email to ensure that it does not actually belong to the legitimate Gusto domain. Additionally, the rule analyzes any logos present in the email screenshot to assess if they resemble Gusto’s branding. By corroborating sender information with trusted domains and their DMARC (Domain-based Message Authentication, Reporting, and Conformance) status, the rule minimizes false positives by focusing on messages from less trusted sources or ones that fail authentication checks. This comprehensive approach aims to safeguard against credential phishing attempts that exploit brand impersonation and social engineering tactics.