This detection rule identifies potential brand impersonation attacks targeting Robert Half, a well-known staffing and recruiting agency. The rule utilizes multiple indicators to ascertain the legitimacy of incoming messages. It first checks if the sender's display name contains 'Robert Half'. If not conclusive, the rule employs computer vision techniques to analyze message screenshots for any graphical logos associated with Robert Half. Additionally, it examines the body of the message for key references, specifically mentions of 'Robert Half' as well as their physical address '2884 Sand Hill Road, Menlo Park, CA 94025'. To avoid false positives, the rule ensures the emails are neither replies nor forwards by checking the `in_reply_to` and `references` headers. Importantly, it also verifies that the sender's domain is not part of the legitimate Robert Half domains or from domains associated with the organization, while confirming the authenticity of emails via DMARC passing summary. Overall, this rule is part of a broader effort to detect Business Email Compromise (BEC) and Credential Phishing attempts.