This detection rule targets email messages that impersonate the Marriott brand, specifically focusing on those that include language associated with gifts. This may include phrases such as 'appreciation gift', 'thank you gift', or 'something special'. The rule checks for the presence of the term 'Marriott' in several fields: the subject line and the sender's display name. Additionally, it allows for minor character variations in the sender's display name using a Levenshtein distance of up to 2. The detection is further refined to include body text from the email that matches the gift-related patterns using regex. Importantly, the rule filters out messages sent from verified Marriott domains by checking the sender's email domain against a predefined list of legitimate Marriott domains and ensuring that the message has passed DMARC authentication. This is to minimize false positives from actual Marriott communications. The rule is categorized under credential phishing and associated with social engineering tactics, emphasizing its relevance to brand impersonation attacks.