This detection rule identifies potential credential phishing attempts related to emails originating from nifty.com. The primary condition for triggering an alert is if the local part of the sender's email address matches the local part of any recipient's email address or the organizational second-level domains (SLDs). This pattern of impersonation is often associated with credential harvesting campaigns, whereby attackers manipulate the sender address to appear trustworthy. The rule also filters out messages in Japanese to avoid false positives and excludes benign messages as well as solicited communications, ensuring that only suspicious emails are flagged. The use of sender analysis as a detection method emphasizes the need for scrutinizing email origins in relation to established communications patterns within an organization.