This detection rule identifies malicious messages that impersonate task management or productivity applications by analyzing inbound email traffic sent via SendGrid. The rule specifically looks for the presence of the phrase 'todo list' in the subject line or body of the email, which is indicative of potential credential phishing attempts. The rule uses regex patterns to detect variations of 'todo list' within the email content. It further analyzes the sending domain to ensure it originates from SendGrid and checks the DMARC authentication status against a list of high-trust sender domains. If the email is sent from a domain that is not on the high-trust list or if it fails DMARC authentication, the message indicates a higher risk of being fraudulent. The detection also considers the sender's history, integrating scoring from previous emails to determine if the sender's communication has been solicited or has shown malicious or spam characteristics. The context of social engineering tactics, specifically via impersonation branding, is key in identifying these types of threats. The rule's medium severity rating reflects the seriousness of such impersonation attacks in attempting to steal credentials.