This detection rule identifies potential phishing attempts that impersonate the United States Postal Service (USPS). The rule triggers when several conditions are met: first, the presence of the USPS brand in email communications is assessed through machine learning logo detection on message screenshots. It requires that the email must contain at least one link and that two out of several specific conditions are satisfied, such as the presence of certain call-to-action phrases in link display texts (e.g., 'check now', 'track', 'package', 'view your order'), signs of urgency or redelivery discussions in the email text, non-personalized greetings, and the presence of links that do not redirect to usps.com. Additionally, the rule checks the sender's email domain against trusted USPS domains, ensuring that the email fails DMARC authentication if the domain is purportedly from a trusted sender. The use of various detection methods, including computer vision, content analysis, and natural language understanding, enhances the effectiveness of identifying this impersonation attempt. This rule aims to mitigate the risk of credential phishing attacks by capturing deceptive communications masquerading as USPS notifications.