This detection rule identifies and alerts on potential impersonation attempts using the LinkedIn brand, often leveraged by attackers in phishing campaigns. It does so by analyzing inbound emails whose sender's display name closely resembles 'LinkedIn' or includes variations that could indicate a fraudulent attempt. The rule uses fuzzy string matching techniques to determine if the sender's details, such as display name or email domain, have been altered in a way that mimics legitimate LinkedIn communications. Additional checks include verifying whether the email domain resembles LinkedIn's official domains, employing conditions that account for age of the domain and specific intent classification from the email's content. For instance, the rule evaluates the presence of high-confidence credentials theft or PII stealing intents in the email body. An extensive check is made to ensure that the sender's domain does not belong to known legitimate entities associated with LinkedIn, such as smartrecruiters.com or docusign.com. Finally, this rule excludes messages that are seemingly legitimate correspondence from trusted domains and scrutinizes reply-to headers to prevent abuses from compromised accounts. This comprehensive approach makes it effective against common tactics used in social engineering and brand impersonation attacks targeting LinkedIn users.