Inbound email rule that detects self-impersonation phishing attempts by combining three indicators: (1) the message is addressed to a single recipient whose email matches the sender's email (sender impersonation), (2) the sender's display name is rendered in bold within the email body, suggesting deliberate identity spoofing, and (3) the HTML body contains a suspicious link inside a dashed-bordered HTML element (a table cell with dashed border styling and a linked text). The link’s href must include a word derived from the email subject, implying the attacker references the organization within the target URL. The rule uses HTML XPath expressions to locate bold display names and the dashed-bordered link, and a regex to extract a word from the subject which is then checked against the link URL. This combination indicates credential phishing with social engineering, designed to evade basic header checks. Data sources required include inbound message content (headers and HTML/body), with analysis focusing on HTML structure (XPath) and string matching. Detected as credential phishing with evasion and social engineering techniques, enabling security teams to investigate and educate users about self-impersonation risks.