This detection rule aims to identify potential Business Email Compromise (BEC) attacks characterized by employees receiving emails from untrusted senders who impersonate trusted colleagues. The rule analyzes the display name of the sender, ensuring it matches the display names of individuals within the organization while also having a space in the name to avoid false positives from single-named accounts. The email body is subjected to Natural Language Understanding (NLU) to classify intents and extract entities related to urgency and requests, enhancing the detection of impersonation attempts when combined with context from the email's subject and sender profile. Additional safeguards negate trusted sender domains based on DMARC authentication results, further minimizing false positives. By implementing a combination of content and header analysis alongside sender profile evaluations, the rule effectively flags potentially harmful emails that may lead to fraudulent activities.