The rule detects brand impersonation attempts of Robinhood in inbound messages by combining NLP-based content analysis, header/sender inspection, and contextual indicators (addresses, locations, social links). It looks for Robinhood-related signals in the message body and sender display name, including explicit references to Robinhood or the Robinhood brand, and checks for potential scam intents such as callback-related phishing. It strengthens confidence when multiple corroborating signals are present, such as: explicit Robinhood mentions, legitimate-looking address references (e.g., 42 Willow Road, Menlo Park, CA), and social links to Robinhood-owned pages (Facebook, Twitter, YouTube, Instagram). The rule also enforces anti-evasion logic to reduce false positives from legitimate replies/forwards by examining email headers (References, In-Reply-To) and subject type, and excludes communications that resemble newsletters or webinars. It further suppresses detections when the sender’s domain matches known Robinhood domains (robinhood.com, robinhood.org, robinhood-related domains) and DMARC authentication passes, indicating legitimate mail. Overall, it targets credential-phishing maneuvers leveraging brand impersonation and social-engineering cues. The detection logic also includes optional multi-factor checks such as: (a) NLU-derived entities including an organization/sender and presence of the term “Robinhood” in body text, (b) non-low confidence intent like “callback_scam”, (c) explicit phrases like “The Robinhood Team”, (d) multiple social links pointing to Robinhood properties, and (e) sender display name containing “Robinhood” with multi-field indications (Location/Time/Device/IP Address) or “new passkey added” events. It is designed to trigger when inbound messages exhibit a blend of brand impersonation cues, social engineering signals, and link-based indicators, while excluding legitimate or newsletter-like communications through header, DMARC, and domain checks.