This detection rule is designed to identify potential brand impersonation attempts targeting the expense management service Navan. The rule analyzes inbound messages and captures signals that suggest impersonation. The sender's display name is checked against regex patterns to identify misrepresentations of the brand name 'Navan', and the sender's email domain is matched to check for variants. Machine learning techniques are applied to analyze any logos present in message screenshots for branding confirmation filtered by medium or high confidence. The rule also examines the email subject for keywords indicating urgency or unusual account access attempts to further assess its nature. Any messages flagged as suspicious must not originate from trusted sender domains unless they fail DMARC authentication. Additionally, it evaluates the sender's message profile for past malicious activity and ensures that no false positives are present in the sender's history.