This rule is designed to detect brand impersonation attacks specifically targeting Amazon, which frequently manifest as fake shipping notifications. The detection logic utilizes multiple methods, including analyzing the sender's display name and attachments. It checks if the sender's display name contains 'amazon', and it identifies any attachments that include 'amazon' in their filenames or OCR text. The rule also incorporates machine learning to detect logos associated with Amazon across various file types, particularly focusing on images and PDFs. Further scrutiny is applied to the content of the email threads and the intent classification of any extracted text to discover non-bening intents with high confidence. Additionally, it ensures the sender's email does not belong to any official Amazon domains, thereby increasing the accuracy of the detection. The rule highlights the importance of analyzing both the sender reputation and the content of inbound emails to combat credential phishing attempts.