This detection rule identifies potential impersonation attempts of SendGrid by monitoring email messages that claim to be sent by new senders. The rule focuses on evaluating sender display names against multiple conditions, including similarity to 'SendGrid' using string manipulation functions (e.g., case-insensitive matching, Levenshtein distance), to detect potential abuses. It accounts for other suspicious traits such as the absence of sender display names and associated email addresses that mimic SendGrid. The messages must also be routed through SendGrid's legitimate infrastructure, as indicated by their domains, specifically 'outbound-mail.sendgrid.net'. Furthermore, messages from legitimate SendGrid domains that pass DMARC checks are excluded from the rule, ensuring that only potentially malicious messages are flagged. The overall aim of this rule is to mitigate the risks associated with credential phishing attacks where malicious actors mislead recipients into believing they are communicating with a trusted brand.