This detection rule identifies messages that impersonate AuthentiSign by monitoring various aspects such as the display name, email domain, subject, and body content of the communications. The rule triggers if the email is from a source that is either not AuthentiSign or involves spoofing tactics. Specifically, it checks if the body of the current thread includes the term 'authentisign', or if the sender's display name closely resembles AuthentiSign through name similarity checks. Additionally, it scrutinizes the sender's email domain, ensuring that the messages do not originate from the legitimate AuthentiSign domain or that even if they do, they fail SPF (Sender Policy Framework) or DMARC (Domain-based Message Authentication, Reporting & Conformance) checks, which are crucial for email authentication. These rules are particularly effective against credential phishing and business email compromise (BEC) tactics that leverage social engineering and brand impersonation. By analyzing the content, headers, and sender information, the detection mechanism seeks to mitigate potential fraud and unauthorized access attempts.