This detection rule focuses on identifying brand impersonation attacks specifically targeting the Stellar Development Foundation (SDF). The rule triggers when an inbound email is sent from a sender whose display name contains the term 'stellar' but does not originate from the official stellar.org domain. Additionally, it considers whether the messages sent by this sender are unsolicited, or if previous messages from the same sender have been flagged as malicious or spam without any false positives being reported. By analyzing the sender's display name and email domain, the rule seeks to thwart credential phishing efforts aimed at users within the Stellar ecosystem, thereby enhancing the security posture against social engineering tactics. This is particularly relevant for cryptocurrency users and organizations operating within the Stellar network.