This detection rule identifies potential VIP impersonation attempts in email communications by analyzing incoming messages that include the display names from an organization-specific list of VIPs ($org_vips). If a sender's display name matches any name on this list and the sender is recognized as a new or unsolicited entity, the rule triggers an alert. This mechanism aims to curb Business Email Compromise (BEC) or fraud attempts, especially when the incoming emails might come from dubious or first-time sources. The rule incorporates several layers of logic to exclude benign cases, such as ignoring email exchanges where the sender's display name matches the mailbox's name, and filtering out bounce-back emails. Additionally, it checks that the sender's email domain passes DMARC authentication unless it doesn't belong to trusted organizational domains, increasing the rule's effectiveness against spoofing attempts. Detecting suspicious subjects or links can further enhance the security measures provided by this rule.