This detection rule targets impersonation attempts that mimic Charles Schwab & Co., which is critical for identifying potential credential phishing attacks against users. The rule applies various string matching techniques to detect sender display names and email domains that resemble Charles Schwab to deceive recipients. Specifically, it checks if the sender's display name contains variations of 'Charles Schwab', uses Levenshtein distance to allow for minor typos, and evaluates the sender's email domain for the presence of the term 'schwab'. Additionally, the rule ensures that the sender is not part of trusted domains associated with Charles Schwab or its affiliates, thus reducing false positives from legitimate communications. Authentications such as DMARC checks further validate the sender's legitimacy. Through these comprehensive checks, the rule aims to flag potential phishing attempts efficiently.