This rule detects inbound messages that impersonate legal firms or copyright enforcement entities. It targets emails with heavy legal terminology, urgent compliance language, and a pattern of threats, aiming to catch business email compromise (BEC) and extortion attempts. Key checks include inbound context with no prior threads, a current thread length under 5000 characters, and a restricted number of links. It requires at least two matches from subject/base indicators (e.g., Content, Compliance, Legal, Copyright, Notice) or the sender display name containing related terms. It then demands at least 15 matches from a broad set of body text phrases (copyright, trademark, inquiry, authorized, legal, infringement, immediate, cessation, notice, protecting rights, evidence, etc.). The rule excludes content that resembles legitimate notices or confirmations (e.g., phrases indicating removal, review, or benign content) and filters out known DMCA recipient addresses. It also excludes messages from specific domains associated with false positives and avoids domains linked to certain known inspect addresses. Attack types: BEC/Fraud, Extortion. Tactics/Techniques: Impersonation (Brand), Social Engineering. Detection methods: Content analysis, Header analysis, Sender analysis.