This detection rule focuses on identifying brand impersonation attempts using WeTransfer, a popular file-sharing service. It looks for various indicators of phishing and fraudulent activity in inbound messages that claim to be from WeTransfer. Key checks include analyzing the sender's display name for relevant terms or minor misspellings related to 'WeTransfer', examining the sender's email for common phishing patterns, and scrutinizing subject line content for phrases typically associated with WeTransfer notifications. The rule also scans the message body for French language characteristics, suggesting a localized phishing attempt, and evaluates links in the email to identify potentially malicious domains. Legitimate emails from WeTransfer are excluded based on valid DMARC authentication and the sender's domain being a recognized WeTransfer domain. Overall, this rule protects users from several types of attacks, including Business Email Compromise (BEC), phishing, and spam, effectively leveraging multiple analytic techniques to minimize false positives and enhance detection reliability.