This detection rule targets phishing attacks that impersonate the Ukrainian email service provider ukr[.]net. The rule, originally reported by CERT-UA on March 7, 2022, highlights how malicious actors send phishing emails that mimic genuine communications from ukr[.]net to steal user credentials. Particularly, compromised mailboxes are reportedly exploited by Russian special services to launch cyber attacks on Ukrainian citizens. The detection methodology includes analysis of the sender's display name and email domain to identify potential impersonation attempts, as well as matching specific subject lines and known malicious email addresses or links. The rule emphasizes the importance of monitoring emails that exhibit suspicious characteristics associated with credential phishing and brand impersonation.