This detection rule identifies email threads that attempt to impersonate a very important person (VIP) by matching the display name against a predefined list of organization VIPs, denoted as `$org_vips`. The rule checks whether the display name of the sender in the email body matches that of any VIP, but crucially, it ensures that the sender's email does not correspond to the one listed in the `$org_vips` list. The detection mechanism also investigates the structure of the email message, ensuring at least three key headers (like 'From:', 'To:', 'Subject:') are included in the message. Additional checks enforce that the email thread either lacks a reference in the headers or is not a reply to an existing thread. Further precautions are taken to prevent older or newly created domains (via WHOIS checks) from being used, and it ensures that the profile associated with the sender is not solicited, which indicates potential fraudulent intent. The overall determining criteria for this rule highlight the sophistication of social engineering tactics employed in Business Email Compromise (BEC) scenarios, thus receiving a medium severity rating.