This detection rule identifies emails that attempt to impersonate a VIP (Very Important Person) through invoicing requests. It utilizes Natural Language Understanding (NLU) techniques to analyze the text in the current email thread, looking for specific invoicing terminology indicative of potential fraud or Business Email Compromise (BEC) attempts. The rule evaluates various factors, such as whether the email sender matches the organizations' domains and whether they exhibit characteristics of an external sender—specifically through the analysis of X-headers and the authenticated sender's email. Additionally, it checks if the reply-to address has not been previously contacted, which is a common tactic used by attackers to fabricate conversations. The rule further enhances its efficacy by negating trusted sender domains unless they fail DMARC authentication, thereby filtering out potential false positives. The severity level is set to high due to the critical nature of VIP impersonation and the financial implications of successful invoicing fraud.