This rule detects instances of brand impersonation where attackers impersonate the QuickBooks service from Intuit to carry out phishing attacks. It focuses primarily on identifying indicators in the sender's email display name and domain, particularly those that closely match or reference 'quickbooks'. The rule leverages a combination of string matching and machine learning techniques to analyze the sender's information and the content of the message, looking for specific phrases and links associated with QuickBooks. Additionally, the rule includes filters to exclude known legitimate QuickBooks domains and recognize common phrases associated with QuickBooks invoices. It assesses the sender's reputation and checks the legitimacy of any links within the message to catch potential threats. The overall goal is to block messages that present a high risk of phishing attempts while allowing legitimate communication to pass through.