This detection rule is focused on identifying potential VIP impersonation attacks via public Google Groups that can lead to financial fraud or credential phishing. The rule triggers when an inbound or internal email originates from a sender within the organization's domain but has critical indicators suggesting it may be fraudulent. Key indicators include the presence of a VIP's email address or display name in the reply-to address, subject line, or sender's display name. Additionally, it checks for discrepancies between the reply-to address and the return path domain, ensuring they are not from the organization. The rule also identifies signs of Google Groups in the headers, indicating the message's pathway, and looks for financial and invoice-related content in the email to establish malicious intent. Entities related to financial discussions and detected using a Natural Language Understanding model are significant triggers for this rule. Moreover, various other conditions related to free email providers, thread authenticity, and DMARC authentication are analyzed to strengthen detection accuracy. This multifaceted approach aims to pinpoint sophisticated phishing attempts effectively, protecting the organization from substantial risks.