This detection rule identifies potential brand impersonation attacks specifically targeting Booking.com. It focuses on messages that falsely represent Booking.com's support team and exhibit suspicious patterns commonly associated with credential theft. Key characteristics of such messages include a sender not originating from a legitimate Booking.com email domain, a lack of established communication history, and a tendency for the sender profile to encompass previous problematic behavior. The rule employs multiple checks: it verifies that the email contains fewer than ten links while also analyzing the content for high-confidence associations with travel and customer service topics. Additionally, any detected intent around credential theft, coupled with keywords suggesting complaints or contact requests, triggers further scrutiny. To enhance accuracy, the rule applies DMARC authentication checks on trusted domains, ensuring that messages from highly trusted sources are accurately verified.