This detection rule focuses on identifying impersonation attempts targeting very important person (VIP) email addresses by examining the local part (the part before the '@') of the email addresses related to members of an organization labeled as VIPs. The rule is designed to detect cases where the local part of a VIP's email address is used with a different domain, indicating a potential impersonation attempt. Additionally, it flags scenarios where emails with the correct VIP address fail DMARC authentication, suggesting possible spoofing. The rule employs multiple conditions, including verifying the sender's display name against the recipient’s display name, and includes bounce-back negations to avoid false positives from common mailing systems. It also checks if the sending domain is part of the organization and ensures that it fails DMARC authentication checks to validate the legitimacy of the email origins. By implementing header and sender analysis methods, the detection identifies potentially dangerous messages to enhance organizational security against impersonation risks involving VIPs.