This detection rule targets phishing attempts that utilize Procore branding but originate from non-legitimate domains. It employs inbound message analysis to identify if the message body includes the phrase 'powered by procore' while ensuring that the sender's domain is not one of the known legitimate Procore domains ('procore.com' or 'procoretech.com'). The rule also includes checks to exclude legitimate reply and forward emails to minimize false positives. Moreover, it negates bounce-back messages that generally come from automated email servers, helping to refine the detection of actual phishing attempts versus benign automated messages. By combining content analysis with sender domain validation, this rule protects against business email compromise (BEC) and credential phishing, targeting the impersonation tactics often used in social engineering attacks.