This detection rule targets brand impersonation attempts specifically against the Paperless Post service. It identifies suspicious messages that contain multiple images hosted on the official Paperless Post asset domain (ppassets.com) while ensuring there are fewer than three legitimate links back to the Paperless Post. The rule employs conditions to filter out genuine forwards and replies, as well as messages originating from verified Paperless Post domains that have passed DMARC authentication, reducing false positives. Using a combination of HTML analysis and URL parsing, the rule captures potential phishing attempts and attacks aiming to impersonate the Paperless Post brand by leveraging their assets without providing legitimate links back to the verified service. This detection is critical for safeguarding users against credential phishing and malware delivery methods that exploit familiar branding.