This detection rule identifies potential brand impersonation scams targeting individuals by masquerading as the Financial Industry Regulatory Authority (FINRA). It utilizes a combination of string similarity checks, natural language understanding (NLU) classification, and sender reputation analysis to determine whether an email's sender is attempting to impersonate FINRA. Specifically, it checks if the sender's display name or domain closely resembles 'finra', allowing for a minor typo (Levenshtein distance of 1). The body of the email is analyzed for any financial-related entities and the presence of recognized intents, which bolsters the indication of a phishing attempt. Critical sender characteristics also inform the detection: the sender must not originate from verified FINRA domains, and sender profiles must indicate recent or suspicious behavior combined with a lack of solicited contact. This robust check is essential for identifying sophisticated impersonation tactics in phishing schemes.