This detection rule is designed to identify potential brand impersonation attacks targeting Capital One. It analyzes inbound messages for indicators such as the display name, sender addresses, message content, and embedded logos that suggest an attempt to impersonate Capital One. The rule specifically screens out legitimate communications from recognized Capital One domains and known trusted senders who have successfully passed email authentication checks (DMARC). The detection rule integrates various string matching techniques to identify mentions and similar variations of 'Capital One,' as well as employing computer vision to analyze logos from message screenshots. It also recognizes suspicious indicators in the body of the email that could suggest phishing attempts, such as requests for password resets, unusual security alerts, and links with misleading text. Furthermore, it incorporates advanced filtering to exclude legitimate replies or forwards, ensuring precision in detecting brand impersonation with a high severity rating due to the potential consequences of successful phishing attacks.