This detection rule is designed to identify phishing attempts targeting Wells Fargo customers through various impersonation techniques. The rule combines sender display name matching and intricate string analysis to detect close variations and deceptive representations of the brand name 'Wells Fargo'. Key aspects of the detection logic include the use of Levenshtein distance to identify names that are phonetically or visually similar to 'Wells Fargo', as well as regex patterns to capture common phishing subject lines and body text. Additionally, the rule accounts for high-trust sender domains, allowing exceptions for reputable email providers while negating matches that fail DMARC authentication to reduce false positives. The primary attack type that this rule aims to thwart is credential phishing, which is a prevalent threat against users receiving fraudulent emails that mimic legitimate communications from financial institutions. Overall, the rule is vigilant about identifier similarity, ensures recognition of typical phishing tactics, and filters out known safe sender domains that could otherwise generate false alarms.