This rule detects email messages that impersonate UK government agencies, specifically the Home Office and its affiliated organizations, such as UK Visas and Immigration. The detection criteria focus on identifying messages from senders not authenticated as legitimate government domains (i.e., domains not ending in 'gov.uk'). The rule employs various checks, including evaluating the display name and subject for homograph attacks, analyzing the body content to search for brand-related phrases and copyright footers common to legitimate UK government communications, and scrutinizing hyperlinks for signs of phishing or credential theft. Furthermore, messages that contain suspicious links, which do not direct to 'gov.uk' but have misleading display text indicating otherwise, are flagged. The rule also ensures that it is not triggered by overly repetitive newsletters or a high volume of links, which can signify promotional material rather than phishing attempts. Finally, every rule execution requires that there are no prior threads present in the email communication to ensure the detection is focused on new potential threats.