The detection rule 'Xero Invoice Abuse' is designed to identify potentially fraudulent email communications that masquerade as legitimate invoices from 'Xero'. The rule focuses on messages that include urgent requests for payment and either have a sender display name that contains confusable characters or impersonates internal support services, such as HR or IT. It implements a layered approach to detection using various methods, including identifying links that direct to known Xero domains and analyzing the content of the message for indications of urgency and financial communication topics. Moreover, the rule checks for anomalies in the sender's display name, utilizing string manipulation to identify potential brand impersonation and employing regex patterns to detect references to internal service roles. The severity of this rule is classified as medium, reflecting the potential impact of business email compromise (BEC) and credential phishing attacks associated with such fraudulent communications.