Technical summary: This rule detects messages impersonating the Australian Federal Police by analyzing inbound communications for AFP branding in the subject or sender display name, paired with official-looking law-enforcement language. It targets inbound items and checks subject.base for AFP or Australian Federal Police (case-insensitive). It requires at least two of the following terms in the subject: case, investigation, law enforcement, management, notice, reference. It also enforces content constraints on the message body: the thread must contain concepts like investigation or correspondence, and must include a phrase such as case reference or case type, using a case-reference pattern. When all criteria are met, the rule raises a high-severity alert aligned with BEC/Fraud and Extortion. Detection methods include content analysis, header analysis, natural language understanding (NLU), and sender analysis. Data sources referenced are subject and body text, indicating reliance on network-transported messages and endpoint visibility for inbound email-like content. Keywords and language cues are used to differentiate impersonation attempts from legitimate communications.