This detection rule targets instances of brand impersonation specifically involving Mailchimp by analyzing email content and sender information. The rule uses several techniques to identify potential phishing attempts where attackers either spoof the display name of the sender to make it appear as though the email comes from Mailchimp or use unauthorized branding elements like logos in the message. To highlight potential impersonation, the rule incorporates a combination of string matching techniques, such as checking for a close match (using levenshtein distance) to 'Mailchimp', and visual analysis of any logos featured in email screenshots. It also scans the body of the email for security-themed keywords and analyzes paragraphs for contextually relevant topics, using a machine learning-based classifier to identify intents related to credential theft. Furthermore, the rule establishes that the sender's domain should not be part of the organization's trusted domains nor associated with Mailchimp to avoid false positives, thus increasing the likelihood that the email is indeed a phishing attempt. Overall, this rule addresses the growing concern of social engineering attacks leveraging well-known brands for malicious purposes.