This detection rule is designed to identify potentially malicious messages that utilize typosquatting or lookalike domains towards a target sender's domain to deceive recipients, often as part of phishing attacks. It employs a measure known as the Levenshtein distance to ascertain similarity between the sender's domain and the links contained in email messages. Specifically, if this calculated distance is between 1 and 2, indicating that the domains are deceptively close, the rule inspects further for concerns. In addition, the rule also checks that the domains are either newly registered (within the last 90 days) or are somehow unregistered, which can be indicative of a malicious actor attempting to obscure their identity. Furthermore, the analysis involves assessing the content of the email message itself for indicators of business email compromise (BEC), credential theft, or suspicious linguistic cues such as terms related to finance or phrases like 'kindly.' This multi-layered approach effectively targets phishing attempts that couple domain deception with manipulative language to trick recipients into divulging sensitive information or taking other harmful actions.