This detection rule identifies emails that have an unusually long local part (the section before the '@') from sender addresses that are outside of trusted domains and that may lack proper authentication verification. The main threshold for triggering this rule is if the length of the local part of the sender's email exceeds 100 characters. Additionally, it incorporates checks to exclude messages from known organizational domains or high-trust sender domains that pass DMARC (Domain-based Message Authentication, Reporting & Conformance) checks. It also excludes common senders unless they have been marked as malicious or spam and takes into account benign cases such as those caused by the Internet Mail Connector Encapsulated Address (IMCEA). The rule further filters out senders that have previously generated false positives to minimize unnecessary alerts.